0Tolerance can assist with the National Institute of Standards and Technology (NIST) cybersecurity services. We can assess your organization using the security framework that best fits your organization. If you’ve already adopted the NIST Cybersecurity Framework (CSF) or NIST Special Publications (SP) 800-171/800-53 or still need to adopt a framework, we can help.


We believe that the NIST Cybersecurity Framework is a fantastic framework to measure your organization’s information security capabilities and posture. Its application is best suited if your organization has yet to meet specific compliance mandates but wants to adopt an industry-accepted security framework. The NIST CSF is a roadmap to implement security best practices. The framework provides a structured and flexible approach to managing cybersecurity risk. It is based on industry standards and best practices from other frameworks and can be customized to fit your organization’s unique needs. NIST CSF focuses on five core functions: Identify, Protect, Detect, Respond, and Recover.

NIST SP 800-171 / 800-53

Other NIST options are the more rigorous NIST SP 800-171 or 800-53. 

The 800-171 helps civilian organizations meet government and military standards for information security programs. Many manufacturers and technology service providers adopt 800-171 if they do business with the federal government or are in the military’s supply chain. 800-171 is a set of security controls for non-federal information systems and organizations that handle Controlled Unclassified Information (CUI). It is designed to protect the confidentiality of CUI when it is stored or processed by non-federal organizations. It provides specific requirements for protecting sensitive information and is intended to be used by organizations that handle sensitive government information.

The 800-53 is similar in its intent but much more rigorous than the 800-171 and helps organizations protect confidential data, such as federal government information security networks.

Comparing And Choosing

To recap, 800-53 is very difficult to implement, 800-171 is moderate, and the CSF is the lightest of the three, but it is still beneficial for most organizations. These standards are similar in providing guidance and best practices for managing cybersecurity risk. However, they differ in their complexity and intended audience. NIST CSF is a general-purpose framework that organizations of all types can use, while 800-53 is primarily intended for federal organizations or highly secure organizations for protecting confidential data, and 800-171 is intended for civilian organizations that handle sensitive unclassified data. Let’s discuss which makes the most sense for your organization; please reach out today!

Assessment of your information security program against the NIST framework of your choosing.

Review policies, procedures, and security documentation
Interview staff and analyze your unique gaps and risks
Risk Register of findings along with an Executive Summary

On-call assistance with questions related to the NIST frameworks and special publications, and general information security questions.

How do we increase our security maturity?
What’s important now, this year, and for the next 3-5 years?
How can we not just be compliant, but be secure?

Compliance Does Not Equal Security, Make Security Business-As-Usual