Back to blog home

NIST Compliance and Video Security – What You Need to Know

February 11, 2022

NIST compliance represents a high standard of cybersecurity and data privacy in the United States. For federal agencies and any organization that works with or is contracted by the federal government, NIST compliance is required.

Organizations that require NIST compliance may wonder how video surveillance fits into their security strategy. In this blog, we’ll look at NIST, how it pertains to video security cameras, and how you can use video surveillance to strengthen overall security compliance throughout your entire organization.

For more information on video security and cybersecurity, read The Ultimate Guide to Cybersecurity for Cloud Video Surveillance & IP Security Cameras.

What is NIST?

NIST is short for the National Institute of Standards and Technology. The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce.

NIST is a non-regulatory government agency that develops technology, metrics, and standards to drive innovation and economic competitiveness at U.S.-based organizations in the science and technology industry.

As the governing body that controls guidelines that pertain to technology, NIST outlines the best practices on how data should be protected. This NIST guidance provides a set of standards for recommended security controls on information systems at federal agencies. These standards are endorsed by the government, and all organizations that work with the federal government are required to follow the NIST requirements to be considered for government contracts.

How can an organization achieve NIST compliance?

For an organization to be NIST compliant, it must follow NIST guidelines and maintain compliance with those established guidelines both now and in the future. This means making appropriate changes as an organization evolves or when new information arises in the cybersecurity landscape.

NIST is known for the NIST Cybersecurity Framework (CSF), which is a set of guidelines and best practices designed to help organizations improve their cybersecurity strategies. This standard was launched in 2014 and is widely adopted.

CSF aims to standardize cybersecurity practices so organizations can use a standard when implementing protection against data breaches and other forms of cyberattacks. These standards include best practices, documentation, and publications, and together are designed as a framework for federal agencies and programs adhering to stringent security measures.

Is NIST compliance mandatory?

NIST compliance is legally required for federal agencies and any organization that works with a federal agency.

Though organizations in the private sector are not required to follow NIST guidelines, NIST is considered the industry standard. It's highly recommended that all private organizations follow NIST guidelines and reach compliance.

Reaching NIST compliance helps organizations:

  • Defend against cyberattacks
  • Prevent data breaches caused by human error
  • Promote a culture of responsible data handling
  • Help meet mandatory regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Information Security Management Act (FISMA).

NIST Cybersecurity Framework

The NIST Cybersecurity Framework outlines the security measures organizations need to put in place to protect their digital assets from unauthorized access. To make sure assets are adequately protected from cybersecurity attacks, this framework makes use of the same procedure every time.

It is made up of these five functions:

  1. Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
  2. Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
  3. Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
  4. Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
  5. Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

You can learn more about the NIST Cybersecurity Framework from the official NIST website. It provides a great starting point you can use to develop robust security policies.

In addition to NIST frameworks, there are important standards to get familiar with, such as NIST 800-171.

NIST 800-171 Compliance

NIST 800-171 provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI) for non-federal organizations that handle CUI on their network.

Any organization that processes sensitive unclassified information on behalf of the US government is required to be compliant with NIST 800-171. Compliance with 800-171 is a contractual obligation for contractors managing CUI on their networks and these organizations are expected to conduct self-assessments to determine compliance.

Implementing NIST 800-171

NIST 800-171 is made up of 14 different points covering an organization’s IT technology, policy, and practices. These points cover different requirement aspects such as access control, systems configuration, authentication procedures, cybersecurity procedures, and incident response plans.

14 points of NIST 800-171 requirements:

  1. Access Control: Creating and retaining system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
  2. Awareness and Training: Ensuring system administrators and users are aware of security risks and related cybersecurity procedures, and that employees are trained to carry out security-related roles.
  3. Audit and Training: These requirements deal with the recording and storage of reliable audit records to allow for best practice analysis and reporting. Regular review of system security logs can help uncover and mitigate cybersecurity incidents.
  4. Configuration Management: Establishing and maintaining baseline configurations and inventories of organizational systems throughout different system development life cycles. This also focuses on preventing unauthorized software installation and the restriction of nonessential programs.
  5. Identification and Authentication: This set of requirements ensures only authenticated users can access the organization’s network. To keep a highly secured network, there should always be a verification of the user's identity, devices, and processes as a condition for granting access to organizational systems.
  6. Incident Response: Establishing requirements that deal with active incident handling capabilities for organizational systems. These requirements ensure procedures are in place to detect, contain, and recover a range of incidents within the organization. Measures put in place must track and report incidents to assigned officials both within and outside the organization.
  7. Maintenance: These requirements give insight into best practice systems and network maintenance procedures. This would include the performance of regular system maintenance and making sure any external maintenance is secure and authorized.
  8. Media Protection: Establishing requirements that can cover best practice or destruction of sensitive information and media in both physical and digital formats.
  9. Personnel Security: For every individual that’s allowed to access the systems containing CUI, there must be adequate background checks about them to ascertain their integrity. Systems housing CUI should go through organizational checks for security before and after access by individuals.
  10. Physical Protection: Establishing requirements to give physical access to CUI within the organization, including the control of visitor access to work sites. Hardware, devices, and equipment are also required to be limited to authorized personnel.
  11. Risk Assessment: Putting requirements in place to help cover the performance and analysis of risk assessments. Organizations are required to regularly scan systems for vulnerabilities, keeping network devices and software updated and secure. Identified vulnerabilities must be immediately rectified according to risk assessment guidelines.
  12. Security Assessment: Demonstrate requirements covering but not limited to the development, monitoring, and renewal of system controls, and security plans. The review of procedures and processes across an organization helps ensure the protection of CUI.
  13. Systems and Communications Protection: Establishing requirements that help with the prevention of unauthorized information transfer and denial by default of network communication traffic. Information transmitted must be monitored, controlled, and protected at external and key internal boundaries.
  14. System and Information: Includes requirements that deal with ongoing system monitoring and ongoing protection of systems within an organization. This also includes the processes of identifying unauthorized use of systems and monitoring system security alerts.

NIST Compliance and Video Security

NIST compliance can be complicated, and Rhombus often addresses questions from customers about video surveillance, security cameras, and NIST regulations.

Surveillance cameras are a helpful tool that many government and legal organizations use to secure their facilities and protect sensitive data. By following several best practices, it’s easy to use security cameras in a NIST-compliant way to increase your organization’s safety and visibility.

Rhombus has worked with numerous organizations that use cloud security cameras as part of their compliance strategy. We hope to aid anyone considering the use of security cameras in their organization to maintain robust cybersecurity protocols, including NIST compliance.

Feel free to request a personalized demo or reach out to one of our experts if you have any questions on how to best roll out video security within your organization.

Related Articles