Understanding NIST Compliance for Containers and the Cloud

If you help to manage or secure cloud environments, NIST may feel like an enemy, but it’s really a friend.

NIST provides (among other information) guidance intended to help organizations secure their IT assets. Although NIST compliance may seem like a burden to bear, it’s actually a resource that can help IT teams and developers to determine which best practices to follow when designing and managing cloud-native environments.

There are a number of NIST guidelines and recommendations out there, and mastering them all takes more than a little time. To help you get started, however, this article provides an overview of the most important NIST compliance recommendations regarding the cloud and containers, and it explains best practices to follow in order to achieve NIST compliance in cloud-native settings.

What Is NIST?

NIST is the National Institute of Standards and Technology, a U.S. federal agency tasked with developing standards and best practices for businesses to follow. NIST doesn’t focus on cybersecurity and compliance specifically, but one of its many domains includes securing IT systems.

What Is NIST Compliance?

NIST compliance means compliance with one or more of the NIST guidelines or recommendations.

NIST compliance is a complicated topic because NIST maintains a voluminous library of publications. For modern IT teams and developers, however, the most important NIST publications include the following groups:

• NIST SP 800, which provides guidelines for achieving computer security goals. Some NIST SP 800 publications focus on specific types of systems, including the cloud and containers, while others address computer security topics writ large.
• NIST SP 1800, which includes best practices for computer security. Like SP 800, some of the SP 1800 publications address specific types of systems, while others address security requirements in general. Currently, no SP 1800 publications address the cloud or containers in depth, although some focus on related topics that will interest teams who manage cloud or container environments.

Who Needs to Comply with NIST?

Unlike some other compliance frameworks developed by governments, such as the GDPR and HIPAA, the NIST guidelines are non-regulatory. That means that there is no specific legal requirement for businesses in general to comply with NIST, and NIST itself doesn’t penalize organizations for NIST non-compliance.

However, some organizations, such as various federal government agencies, may require their vendors or partners to comply with certain NIST recommendations. Thus, although there is no legal mandate to conform with NIST rules, some organizations must do so under the terms of business agreements that they make with government agencies or other organizations that use NIST guidelines to regulate how their partners and vendors manage IT security.

More generally, following NIST security guidance is a best practice even if your organization isn’t specifically required to do so. The NIST guidelines are designed to provide actionable, straightforward recommendations that organizations can take to mitigate cybersecurity risks. Following NIST compliance recommendations helps you establish the strongest cloud security posture and identify security risks that you may otherwise overlook.

Note, too, that compared to many other compliance frameworks, NIST’s recommendations tend to be relatively clear and detailed because NIST makes quite specific technical recommendations about what IT teams and developers should and should not do within specific types of environments. That’s a good thing, because it eliminates much of the ambiguity that technical teams face when interpreting compliance laws like HIPAA, which focuses on high-level requirements and offers very few specific technical recommendations.

NIST Compliance for Containers and the Cloud

Now that you know how NIST compliance in general works, let’s examine the most important NIST recommendations for cloud and container security. We’ll break them down according to specific NIST publications.

NIST SP 800-53 Compliance

SP 800-53 is one of NIST’s broadest set of recommendations that organizations should take for securing IT environments of all types. It defines dozens of security controls that organizations can implement to mitigate the risk of unauthorized access to sensitive cloud resources and to streamline the remediation of breaches if they do occur.

For example, it recommends storing at least one copy of backup data in an offsite location to enable reliable recovery if the primary site is breached. It also recommends practices such as least-privilege access control.

The most recent version of NIST SP 800-53, known as SP-800-53 Revision 5, was introduced in September of 2020. It added a number of new recommendations, including most notably those related to supply chain security, meaning the management of IT security risks that originate in vendor, partner, or supplier systems. Revision 5 also offers updated recommendations related to cyber resilience, governance, and accountability based on NIST’s analysis of modern security threats. Learn more about how to meet NIST 800-53 guidelines for cloud and containers.

NIST SP 800-210 Compliance

SP 800-210, which was released in 2020, provides access control guidance tailored to cloud environments specifically. It addresses each layer of standard cloud environments: networking, hypervisors, virtual machines, APIs, and IaaS. It also addresses topics like access control for SaaS applications.

SP 800-210 doesn’t focus as much on topics like hybrid or multicloud security, which is a limitation given that most organizations today have adopted one (or both) of these architectures. Nonetheless, if you’re seeking cloud-specific NIST compliance guidance, SP 800-210 is a must-read.

NIST SP 800-190 Compliance

Introduced in 2017, SP 800-190 provides guidance for securing containerized applications and the environments they run in.

SP 800-190 breaks down container security risks based primarily on the architecture of container environments: it addresses risks related to host infrastructure, orchestrators, runtime environments, and individual containers. It also considers how hardware-based security controls can address security risks.

Given that SP 800-190 is now four years old (and was introduced just before it became clear that Kubernetes would become the predominant container orchestration tool), it doesn’t address Kubernetes-specific security risks as extensively as today’s IT engineers or developers might wish. For Kubernetes-specific guidance, you’ll need to look beyond NIST. Nonetheless, it remains a very useful baseline for ensuring compliance with standard container security best practices.

Conclusion

Again, there are hundreds of other NIST publications that deal with cybersecurity. Depending on which types of workloads you run in the cloud or via containers, you may want to consult additional NIST guidance devoted to topics like mobile computing or IoT.

Of course, you’ll also want to make sure to complement NIST’s guidelines with the latest security guidelines and best practices. One drawback of NIST’s approach to issuing guidance is that its publications are not updated continuously, which means that they don’t always address emerging types of threats. Nor do they focus extensively on technologies (like Kubernetes) that were not as widespread when the guidance was created.

Nonetheless, NIST remains a critical resource for determining which specific best practices to follow when securing modern, cloud-native environments. Even if you are not contractually obligated to comply with NIST guidelines, it’s a very wise idea to self-comply.