Governance, Risk, and Compliance References

As I’m preparing for the CGRC certification, I’ve compiled a list of NIST Special Publications focused on Governance, Risk, and Compliance (GRC). The original raw list can be found on the ISC2 Common Body of Knowledge . This list is my laziness (maybe even efficiency) attempting to save time in searching for each publication while I’m on the go or need a quick link in a place I know I’ll have it, my own website. I’ll try to keep it up to date as new versions of the publications are released.

NIST FIPS-199
U.S. Department of Commerce, National Institute of Standards and Technology. (2004, February). Standards for Security Categorization of Federal Information and Information Systems. CSRC. https://csrc.nist.gov/pubs/fips/199/final

NIST SP 800-30 Rev. 1
Joint Task Force Transformation Initiative. (2012, September). Guide for Conducting Risk Assessments. CSRC. https://csrc.nist.gov/pubs/sp/800/30/r1/final

NIST SP 800-37 Rev. 2
Joint Task Force Transformation Initiative. (2018, December). Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. CSRC. https://csrc.nist.gov/pubs/sp/800/37/r2/final

NIST SP 800-39
Joint Task Force Transformation Initiative. (2011, March). Managing Information Security Risk: Organization, Mission, and Information System View. CSRC. https://csrc.nist.gov/pubs/sp/800/39/final

NIST SP 800-53 Rev. 5
Joint Task Force Transformation Initiative. (2020, December)). Security and Privacy Controls for Information Systems and Organizations. CSRC. https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final

NIST SP 800-53B
Joint Task Force Transformation Initiative. (December, 2020)). Control Baselines for Information Systems and Organizations. CSRC. https://csrc.nist.gov/pubs/sp/800/53/b/upd1/final

NIST SP 800-60 Vol. 1, Rev. 1
Kevin Stine (NIST), Richard Kissel (NIST), William Barker (NIST), Jim Fahlsing (SAIC), Jessica Gulick (SAIC). (2008, August). Guide for Mapping Types of Information and Information Systems to Security Categories. CSRC. https://csrc.nist.gov/pubs/sp/800/60/v1/r1/final

NIST SP 800-70 Rev. 4
Stephen Quinn (NIST), Murugiah Souppaya (NIST), Melanie Cook (NIST), Karen Scarfone (Scarfone Cybersecurity). (2018, February). National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. CSRC. https://csrc.nist.gov/pubs/sp/800/70/r4/final

NIST SP 800-88 Rev. 1
Richard Kissel (NIST), Andrew Regenscheid (NIST), Matthew Scholl (NIST), Kevin Stine (NIST). (2014, December). Guidelines for Media Sanitization. CSRC. https://csrc.nist.gov/pubs/sp/800/88/r1/final

NIST SP 800-115
Karen Scarfone (NIST), Murugiah Souppaya (NIST), Amanda Cody (BAH), Angela Orebaugh (BAH). (2008, September). Technical Guide to Information Security Testing and Assessment. CSRC. https://csrc.nist.gov/pubs/sp/800/115/final

NIST SP 800-137
Kelley Dempsey (NIST), Nirali Chawla (PwC), L. Johnson (NIST), Ronald Johnston (DoD), Alicia Jones (BAH), Angela Orebaugh (BAH), Matthew Scholl (NIST), Kevin Stine (NIST). (2011, September). Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. CSRC. https://csrc.nist.gov/pubs/sp/800/137/final

NIST SP 800-160 Vol. 1 Rev. 1
Ron Ross (NIST), Mark Winstead (MITRE), Michael McEvilley (MITRE). (2022, November). Engineering Trustworthy Secure Systems. CSRC. https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final