There is quite a bit of NIST security noise that should not be dismissed. Whether you are a federal agency or not, NIST has significant meaning for you.
The National Institute of Standards Technology (NIST) is a lab and federal non-regulated agency organization that offers guidance to promote innovation and industrial competitiveness.
When it comes to cyber security, NIST has already offered specific guidelines and frameworks. Here are some examples:
- NIST SP 800-53 for Security Controls – A mandate for all federal agencies that’s becoming a popular standard in non-federal organizations.
- NIST SP 800-171 for Security Controls – Based on 800-53 for non-federal entities that handles sensitive Controlled Unclassified Information (CUI)
- NIST Cyber Security Framework – A voluntary, risk-based cyber security guideline. The recent executive order has mandated agencies to use the framework and offer a risk assessment within 90 days of the order’s signing on May 11, 2017. It offers a common language to work across departments and industries. The framework was recently updated in January 2017 with new details on managing cyber supply chain risks, clarifying key terms, and introducing measurement methods for cyber security. Core to the framework is its five key functions set forth below.
Federal NIST Mandates Continue with a New Sheriff
The increased focus on NIST comes from a variety of angles.
In March, the federal House science committee passed the NIST Cybersecurity Framework, Assessment and Auditing Act, which includes a section that expands NIST’s role from offering guidance to auditing agency compliance. This means NIST will no longer be a “non-regulating” agency.
Normally, this role would be the Department of Homeland Security (DHS), but there’s been some disagreement as to whether DHS has been able to conduct these audits. No matter who conducts the audit, at the end of the day it seems the desire is to assure minimal risk of cyber attacks on the federal government.
This act does assign audit responsibilities to an agency that prides itself on setting primarily advisory standards. Agencies are still required to report back by this summer on their FISMA NIST progress. This spring a new Executive Order shifted cyber security accountability to the agency heads. The pressure to comply with NIST continues and extends to others.
NIST Mandate: Organizations Doing Business with the Federal Government
Another recent big call out for NIST is the pending December 2017 NIST 800-171 deadline for non-federal entities that handle or process CUI from the federal governments. This is a call to action for organizations doing business with the government, including system integrators managing federal systems (that are not already covered by FISMA certification), college/university processing of federal funding info, healthcare organizations managing federal Medicare, groups doing federal-funded research, and many others.
NIST’s Cyber Security Framework is a very prominent security framework. Research shows that many non-federal markets are adopting it. Indeed, Gartner predicts by 2020 that 50 percent organizations will be using this framework. This aligns with other research such from HIMMS where 47 percent healthcare organizations are using it now.
Using the NIST framework facilitates a risk-based approach to cyber management. It can reduce the possibility of miscommunications between staff and other organizations that integrate with your cyber environments. It also heightens the awareness for cyber threats and accelerates the efforts to create an information security program.
If you are among the 50 percent of organizations that have not yet aligned with NIST’s security framework, reconsider and join the NIST journey. Tripwire offers many resources on NIST guidelines and frameworks to help you get started.