Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Guide to Information Technology Security Services



Timothy Grance, Joan Hash, Marc Stevens, Kristofor O'Neal, Nadya Bartol


Organizations frequently must evaluate and select a variety of information technology (IT) security services in order to maintain and improve their overall IT security program and enterprise architecture. IT security services, which range from security policy development to intrusion detection support, may be offered by an IT group internal to an organization, or by a growing group of vendors. It is difficult and challenging to determine service provider capabilities, measure service reliability and navigate the many complexities involved in security service agreements.This guide provides assistance with the selection, implementation, and management of IT security services by guiding organizations through the various phases of the IT security services life cycle. This life cycle provides a framework that enables the IT security decision makers to organize their IT security effortsfrom initiation to closeout. The factors to be considered when selecting, implementing, and managing IT security services include: the type of service arrangement; service provider qualifications, operational requirements and capabilities, experience, and viability; trustworthiness of service provider employees; and the service provider's capability to deliver adequate protection for the organization systems, applications, and information.
Special Publication (NIST SP) - 800-35
Report Number


computer security, information security, life cycle, outsourcing business case, security service, service level agreement, service provider, total cost of ownersip


Grance, T. , Hash, J. , Stevens, M. , O'Neal, K. and Bartol, N. (2003), Guide to Information Technology Security Services, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed April 13, 2024)
Created October 9, 2003, Updated February 19, 2017