Publications in NIST’s Special Publication (SP) 800 series present information of interest to the computer security community. The series comprises guidelines, recommendations, technical specifications, and annual reports of NIST’s cybersecurity activities.
SP 800 publications are developed to address and support the security and privacy needs of U.S. Federal Government information and information systems. NIST develops SP 800-series publications in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283.
Created in 1990, the series reports on the Information Technology Laboratory’s research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.
Federal Government statutes (e.g., FISMA 2014), regulations, and policies (e.g., Office of Management and Budget [OMB] Circular A-130) may specify whether federal agencies are required, or encouraged, to comply with NIST’s SP 800-series publications.
NIST’s SP 800 series publications shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems.
Regardless of whether they are mandatory for federal agencies, an individual SP 800 publication may use document conventions to state any requirements, recommended options, or permissible actions within the publication (e.g., shall, should, may). For example, an SP 800 publication that uses “shall” statements indicates what is necessary to correctly implement its requirements. Such statements do not reflect whether that publication is required to be implemented by a federal statute, regulation, or policy. Look in the document’s introductory text for any such relevant statement about document terminology.
Entities outside of the U.S. Federal Government may voluntarily adopt NIST’s SP 800-series publications, unless they are contractually obligated to do so (e.g., see SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations). Such use may fall outside the purview of U.S. Government statutes, regulations and policies. However, other non-federal entities with oversight responsibilities may choose to require their implementation and use for specific user communities.
NIST SP 800 publications are not subject to copyright in the United States. Attribution would, however, be appreciated by NIST.
In general, the use of an essential patent claim (one whose use would be required for compliance with the guidance or requirements of a NIST SP 800 publication) may be considered if technical reasons justify this approach. In such cases, a patent holder would have to agree to either a Royalty-Free (RF) or Royalty-Bearing (RB) license on terms which are Reasonable and Non-Discriminatory (RAND).
Any mention of commercial products within NIST SP 800 publications is for informational purposes only; it does not imply recommendation or endorsement by NIST.
The NIST’s SP 800-series publications should not be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official.