Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity Framework

Protect

These mappings are intended to demonstrate the relationship between existing NIST publications and the Cybersecurity Framework. These preliminary mappings are intended to evolve and progress over time as new publications are created and existing publications are updated. Initially, each publication has been mapped only once to the category considered most applicable. Certain NIST publications that have broad applicability across multiple categories of a function have been included within the General Mappings section.

General Mappings

This table provides publications that have broad applicability across multiple categories of a function.

PROTECT (PR)

800-64 Rev. 2	Security Considerations in the System Development Life Cycle
800-160	Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems

NIST Cybersecurity Publication by Category

This table consists of NIST Publications that have been mapped only once to an individual Category.

PROTECT (PR)

Identity Management, Authentication and Access Control (PR.AC): Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.

800-63-3	Digital Identity Guidelines
800-63A	Digital Identity Guidelines: Enrollment and Identity Proofing
800-63B	Digital Identity Guidelines: Authentication and Lifecycle Management
800-63C	Digital Identity Guidelines: Federation and Assertions
800-46 Rev. 2	Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security
800-189	Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation
800-157	Guidelines for Derived Personal Identity Verification (PIV) Credentials
800-162	Guide to Attribute Based Access Control (ABAC) Definition and Considerations
800-81-2	Secure Domain Name System (DNS) Deployment Guide
800-116 Rev. 1	A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)
800-76-2	Biometric Specifications for Personal Identity Verification
800-79-2	Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI)
800-166	Derived PIV Application and Data Model Test Guidelines
800-156	Representation of PIV Chain-of-Trust for Import and Export
800-96	PIV Card to Reader Interoperability Guidelines
800-73-4	Interfaces for Personal Identity Verification
800-178	A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC)
800-120	Recommendation for EAP Methods Used in Wireless Network Access Authentication
800-192	Verification and Test Methods for Access Control Policies/Models
800-98	Guidelines for Securing Radio Frequency Identification (RFID) Systems
1800-12	Derived Personal Identity Verification (PIV) Credentials
1800-9	Access Rights Management for the Financial Services Sector
1800-3	Attribute Based Access Control (2nd Draft)
1800-2	Identity and Access Management for Electric Utilities

Awareness and Training (PR.AT): The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.

800-84	Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
800-181 Rev. 1	National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework
800-50	Building an Information Technology Security Awareness and Training Program
800-16 Rev. 1	A Role-Based Model for Federal Information Technology/Cybersecurity Training
800-114 Rev. 1	User's Guide to Telework and Bring Your Own Device (BYOD) Security

Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.

800-133 Rev. 2	Recommendation for Cryptographic Key Generation
800-111	Guide to Storage Encryption Technologies for End User Devices
800-175A	Guideline for Using Cryptographic Standards in the Federal Government: Directives, Mandates and Policies
800-175B	Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms
800-89	Recommendation for Obtaining Assurances for Digital Signature Applications
800-78-4	Cryptographic Algorithms and Key Sizes for Personal Identity Verification
800-171 Rev. 1	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
800-121 Rev. 2	Guide to Bluetooth Security
800-113	Guide to SSL VPNs
800-127	Guide to Securing WiMAX Wireless Communications
800-187	Guide to LTE Security
800-123	Guide to General Server Security
800-41 Rev. 1	Guidelines on Firewalls and Firewall Policy
800-67 Rev. 2	Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher
800-56A Rev. 3	Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography
800-38A	Recommendation for Block Cipher Modes of Operation: Methods and Techniques
800-38A Addendum	Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode
800-38B	Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication
800-38C	Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality
800-38D	Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
800-38E	Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices
800-38F	Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping
800-124 Rev. 1	Guidelines for Managing the Security of Mobile Devices in the Enterprise
800-38G	Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption
800-90A Rev. 1	Recommendation for Random Number Generation Using Deterministic Random Bit Generators
800-90B	Recommendation for the Entropy Sources Used for Random Bit Generation
800-90C	Recommendation for Random Bit Generator (RBG) Constructions
800-132	Recommendation for Password-Based Key Derivation: Part 1: Storage Applications
800-153	Guidelines for Securing Wireless Local Area Networks (WLANs)
800-77	Guide to IPsec VPNs
800-177 Rev. 1	Trustworthy Email (2nd Draft)
800-17	Modes of Operation Validation System (MOVS): Requirements and Procedures
800-20	Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS): Requirements and Procedures
800-108	Recommendation for Key Derivation Using Pseudorandom Functions (Revised)
800-57 Part 1 Rev. 4	Recommendation for Key Management, Part 1: General
800-57 Part 2	Recommendation for Key Management, Part 2: Best Practices for Key Management Organization
800-57 Part 3 Rev. 1	Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance
800-107 Rev. 1	Recommendation for Applications Using Approved Hash Algorithms
800-56B Rev. 1	Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography
800-56C Rev. 1	Recommendation for Key Derivation through Extraction-then-Expansion
800-147	BIOS Protection Guidelines
800-147B	BIOS Protection Guidelines for Servers
800-155	BIOS Integrity Measurement Guidelines
800-32	Introduction to Public Key Technology and the Federal PKI Infrastructure
800-25	Federal Agency Use of Public Key Technology for Digital Signatures and Authentication
800-130	A Framework for Designing Cryptographic Key Management Systems
500-304	Conformance Testing Methodology Framework for ANSI/NIST-ITL 1-2011 Update: 2013, Data Format for the Interchange of Fingerprint, Facial & Other Biometric Information
800-102	Recommendation for Digital Signature Timeliness
800-185	SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash
800-49	Federal S/MIME V3 Client Profile
800-85A-4	PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-4 Compliance)
800-85B-4	PIV Data Model Test Guidelines
800-106	Randomized Hashing for Digital Signatures
800-131A Rev. 1	Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
800-52 Rev. 2	Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations
800-122	Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
800-22 Rev. 1a	A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications
800-95	Guide to Secure Web Services
800-44 Ver. 2	Guidelines on Securing Public Web Servers
800-125	Guide to Security for Full Virtualization Technologies
800-125A	Security Recommendations for Hypervisor Deployment (2nd Draft)
800-125B	Secure Virtual Network Configuration for Virtual Machine (VM) Protection
800-190	Application Container Security Guide
800-29	A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2
800-135 Rev. 1	Recommendation for Existing Application-Specific Key Derivation Functions
800-119	Guidelines for the Secure Deployment of IPv6
800-15	MISPC Minimum Interoperability Specification for PKI Components, Version 1
1800-11	Data Integrity: Recovering from Ransomware and Other Destructive Events
1800-6	Domain Name Systems-Based Electronic Mail Security
1800-4	Mobile Device Security: Cloud and Hybrid Builds
1800-1	Securing Electronic Health Records on Mobile Devices

Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.

800-128	Guide for Security-Focused Configuration Management of Information Systems
800-160	Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
800-164	Guidelines on Hardware-Rooted Security in Mobile Devices
800-64 Rev. 2	Security Considerations in the System Development Life Cycle
800-193	Platform Firmware Resiliency Guidelines
800-188	De-Identifying Government Datasets (2nd Draft)
800-126 Rev. 3	The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3
800-126A	SCAP 1.3 Component Specification Version Updates: An Annex to NIST Special Publication 800-126 Revision 3
800-117 Rev. 1	Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2
800-51 Rev. 1	Guide to Using Vulnerability Naming Schemes
800-70 Rev. 4	National Checklist Program for IT Products: Guidelines for Checklist Users and Developers
800-43	Systems Administration Guidance for Securing Windows 2000 Professional System
800-144	Guidelines on Security and Privacy in Public Cloud Computing
800-179	Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST Security Configuration Checklist
800-69	Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist
800-68 Rev. 1	Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist
800-47	Security Guide for Interconnecting Information Technology Systems
800-88 Rev. 1	Guidelines for Media Sanitization
1800-8	Securing Wireless Infusion Pumps in Healthcare Delivery Organizations

Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

800-13	Telecommunications Security Guidelines for Telecommunications Management Network
800-58	Security Considerations for Voice Over IP Systems
800-97	Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i
800-48 Rev. 1	Guide to Securing Legacy IEEE 802.11 Wireless Networks
800-167	Guide to Application Whitelisting
800-45 Ver. 2	Guidelines on Electronic Mail Security

Information technology and Cybersecurity

Created February 1, 2018, Updated May 4, 2021