NIST provides guidance on various information security controls in an extensive library of NIST SP 800-series, FIPS and NIST Interagency Report (IR) documents, and provides a guide for selecting documents organized by specific topics such as identify verification (e.g., FIPS 201-327 and NIST SP 800-11628) and cryptography (e.g., FIPS 198-129 and NIST SP 800-133 Rev. 230) or specific NIST control families such as access control (e.g., NIST SP 800-16231 and NIST SP 800-21032) and contingency planning (e.g., NIST SP 800-34 Rev. 133 and NIST SP 800-8434). However, there is little in the way of specific guidance or tool support on how organizations can implement the NIST control framework in their organization.
In addition to those publications already addressed, related RMF publications include but are not necessarily limited to NIST SP 800-37 Rev. 235 and NIST SP 800-70 Rev. 436.
27 NIST (2022, Jan). Personal Identify Verification (PIV) of Federal Employees and Contractors (FIPS Pub 201-3). Gaithersburg, MD: Author.
28 Ferraiolo, H., Mehta, K., Ghadiali, N., Mohler, J., Johnson, V. and Brady, S. (2018, Jun). Guidelines for the Use of PIV Credentials in Facility Access (NIST SP 800-116 Rev. 1). Gaithersburg, MD: NIST.
29 NIST (2008, Jul). The Keyed-Hash Message Authentication Code (FIPS Pub 198-1). Gaithersburg, MD: Author.
30 Barker, E., Roginsky, A., and Davis, R. (2020, Jun). Recommendation for Cryptographic Key Generation (NIST SP 800-133 Rev. 2). Gaithersburg, MD: NIST.
31 Hu, V., Ferraiolo, D., Kuhn, R., Schnitzer, A., Sandlin, K., Miller, R., and Scarfone, K. (2014, Jan). Guide to Attribute Based Access Control (ABAC) Definition and Considerations (NIST SP 800-162). Gaithersburg, MD: NIST.
32 Hu, V., Iorga, M., Bao, W., Li, A., Li, Q., and Gouglidis, A. (2020, Jul). General Access Control Guidance for Cloud Systems (NIST SP 800-210). Gaithersburg, MD: NIST.
33 Swanson, M., Bowen, P., Phillips, A., Gallup, D., and Lynes, D. (2010, May). Contingency Planning Guide for Federal Information Systems (NIST SP 800-34 Rev. 1). Gaithersburg, MD: NIST.
34 Grance, T., Nolan, T., Burke, K., Dudley, R., White, G., and Good, T. (2006, Sep). Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities (NIST SP 800-84). Gaithersburg, MD: NIST.
35 JTF (2018, Dec). Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (NIST SP 800-37 Rev. 2). Gaithersburg, MD: NIST.
36 Quinn, S., Souppaya, M., Cook, M., and Scarfone, K. (2018, Feb). National Checklist Program for IT Products: Guidelines for Checklist Users and Developers (NIST SP 800-70 Rev. 4). Gaithersburg, MD: NIST.