With innovations in the virtual world, we are advancing in technology.

However, do we know are we headed in the correct direction? Are we heading according to the rules and standards? Are we into a healthy and ethical competition?

With our hands-on security, we need to make sure that all the questions above are answered affirmatively. This is ensured by the National Institute of Standard and Technology (NIST). Unless we have a scale set, we cannot go ahead in the correct direction. In this article, we’ll be talking about what NIST is, how it handles the information security, and what are the standards, it defines, for Vulnerability Assessment and Penetration Testing.


NIST stands for the National Institute of Standard and Technology. It is a non-regulatory government agency that was founded in 1901 and is currently part of the U.S. Department of Commerce. It works on developing the technology, standards, and metrics that drive the economic competition and innovation in the technology and science industry in the correct direction. It issues the standards and guidelines regarding information security management and help organizations. The government endorses these standards, and most of the organizations comply with it because they are based on best practices from security documents, publications, and organizations.


NIST has defined some standards related to Vulnerability Assessment and Penetration Testing. Now we’ll discuss some of those standards.

  1. NIST SP 800-30

This standard deals in providing guidance to conduct a risk assessment of information systems and organizations. Risk assessment includes the vulnerability assessment in the initial stages. It tells the management what should be their course of action in answer to the risk identified.

  1. NIST SP 800-37

This standard talks about the Risk Management Framework (RMF) and describes the guidelines on how to apply RMF to the systems and organizations.  The RMF enumerates a structured and flexible process to manage privacy risk. It also looks after the control selection, assessment, and continuous monitoring.

  1. NIST SP 800-40

This standard works on the process of patch management. It is a process of identifying, assessing, re-installing, and verifying patches for system and products. This standard is designed to help organizations understand the basics of patch management technology. It discusses the importance of patch management and also talks about the problems encountered while doing patch management.

  1. NIST SP 800-42

This standard provides guidelines to the technical managers, IT staff, and program managers on how and when to perform network vulnerability tests and policy implementation. It prioritizes the process of testing using limited resources. It helps in finding out network testing requirements. Moreover, it helps the organization in preventing redundancy of efforts. It has been drawn out and is replaced by SP 115.

  1. NIST SP 800-53

This standard is a set of data controls for offices. It takes care of the security of all the data except the data that comes under national security. Though it includes several control components, what concerns us here is threat analysis. It is related to monitoring requirements and incident monitoring.

  1. NIST SP 800-115

This standard provides an overview of the critical elements of testing of technical security. It helps the organizations in conducting technical security tests, analyzing anomalies, and built up mitigation strategies. It can serve various purposes, like finding vulnerabilities as well as verifying compliance.

  1. NIST SP 800-123

This standard helps organisations to understand the fundamental activities performed as a part of securing servers such as testing a server’s vulnerabilities and maintaining server’s security that provides services for network communications. This standard discusses the need to secure servers and provides recommendation on how to manage the security controls.

  1. NIST SP 800-163

This standard provides guidelines on how to keep a secret check on third party software applications on mobile phones. This is necessary to check whether a mobile app is secure and reliable so that the organizations can assess whether the app should be used in the expected environment or not.


These are some standards related to Vulnerability Assessment and Penetrating testing. NIST provides us with such robust standards so that we can get some baseline and direction to proceed correctly and to stay safe and secure in this hackable online world. We have standards for other securities as well, but here, we discussed the need for the hour. This comes to an end of the discussion about different standards.

Adhyatma Jain ( )
Cyber Security Enthusiast
I am a dedicated, diligent, never leave the game until the last ball. person, currently in my pre-final year pursuing B.Tech Computer Science with specialization in Cyber Security and Forensics from UPES