Government continues to refine guidelines for creating more secure networks

NIST urges organizations to take a holistic approach to incorporating technology standards

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Here’s some­thing com­pa­nies, espe­cial­ly small and mid­size orga­ni­za­tions, should take more advan­tage of: The fed­er­al gov­ern­ment con­tin­ues to hone guide­lines on how to become more mature about security.

A recent exam­ple: the Nation­al Insti­tute of Stan­dards and Tech­nol­o­gy issued new guid­ance intend­ed to help strength­en cyber­se­cu­ri­ty at banks, ener­gy com­pa­nies and oth­er orga­ni­za­tions crit­i­cal to the nation’s infrastructure.

It came in the form of NIST’s update of Spe­cial Pub­li­ca­tion 800–160, which was first pub­lished in May 2014.

The sec­ond draft “takes things to a high­er lev­el,” says NIST Fel­low Ron Ross. “We are bring­ing the cyber and phys­i­cal worlds ful­ly together.”

When announc­ing its lat­est draft, the agency explained that infor­ma­tion tech­nol­o­gy “is deeply embed­ded in tra­di­tion­al­ly non-IT sys­tems” such as auto­mo­biles, the elec­tric grid and emer­gency response. But secu­ri­ty is “large­ly incor­po­rat­ed as a last step” in many of these systems—“like a suit of armor over a vul­ner­a­ble body.”

Inte­grate secu­ri­ty early

The new draft will “help bake secu­ri­ty into the very core,” by rec­om­mend­ing ways “to incor­po­rate time-test­ed secu­ri­ty design prin­ci­ples and con­cepts” into the sys­tems “at every step, from con­cept to imple­men­ta­tion,” accord­ing to the NIST.

John Dickson, Denim Group principal and security expert
John Dick­son, Den­im Group prin­ci­pal and secu­ri­ty expert

John Dick­son, a prin­ci­pal at the Den­im Group, a San Anto­nio-based soft­ware secu­ri­ty con­sul­tant, says NIST cyber­se­cu­ri­ty guid­ance “will like­ly make things bet­ter over time.”

The guid­ance pro­vides clar­i­ty in the mar­ket­place that will assist orga­ni­za­tions seek­ing “a gold stan­dard” as a base for their secu­ri­ty, Dick­son says.

NIST’s core secu­ri­ty con­cepts will be embraced by oth­er com­pli­ance or stan­dards frame­works and result in one agreed-upon stan­dard to ref­er­ence, which is a good start­ing point,” he says.

Dick­son says he sees an increas­ing num­ber of adop­tions of NIST stan­dards among gov­ern­ment agen­cies and orga­ni­za­tions. “In my opin­ion,” he says, “a mono­lith­ic, sin­gu­lar NIST frame­work is a start­ing point, but not an end point.”

Oth­er cyber­se­cu­ri­ty stan­dards also have emerged that will help a broad­er num­ber of busi­ness­es, par­tic­u­lar­ly small and mid­size ones.

I like the White House frame­work laid out last year by the cyber­se­cu­ri­ty lead­ers with­in the exec­u­tive branch,” Dick­son says. “These vol­un­tary stan­dards are essen­tial­ly a light ver­sion of the NIST stan­dards and are much eas­i­er for small and medi­um-size busi­ness­es to use.”

 Relat­ed cov­er­age: Oba­ma orders com­pa­nies, gov­ern­ment to share threat intelligence

NIST says its stan­dards are “intend­ed for any­one who designs, devel­ops, builds, imple­ments, orga­nizes or sus­tains any type of sys­tem from smart­phones to indus­tri­al and process con­trol systems.”

Most favor hav­ing standards

A recent sur­vey of more than 300 IT and secu­ri­ty pro­fes­sion­als in var­i­ous indus­tries revealed that only 29 per­cent of respon­dents said their orga­ni­za­tions have adopt­ed the NIST’s cyber­se­cu­ri­ty stan­dards. How­ev­er, 70 per­cent of respon­dents praised the stan­dards as an indus­try best prac­tice, accord­ing to the sur­vey con­duct­ed by the Mary­land-based cyber­se­cu­ri­ty com­pa­ny Ten­able Net­work Security.

Ron Gula, Tenable Network Security CEO
Ron Gula, Ten­able Net­work Secu­ri­ty CEO

Ten­able Net­work Secu­ri­ty CEO Ron Gula said orga­ni­za­tions have been hes­i­tant to adopt the stan­dards because of a high invest­ment require­ment and lack of a reg­u­la­to­ry mandate.

The updat­ed NIST stan­dards address pub­lic com­ments the fed­er­al agency has received since its ini­tial cyber­se­cu­ri­ty guid­ance was released in 2014.

To adopt the updat­ed stan­dards, busi­ness own­ers must val­ue their assets, the NIST says, and use “secu­ri­ty design prin­ci­ples and sys­tems engi­neer­ing process­es to devel­op appro­pri­ate secu­ri­ty require­ments, archi­tec­ture and design.”

The objec­tive, accord­ing to the agency, is to imple­ment “a secu­ri­ty capa­bil­i­ty that can ade­quate­ly pro­tect these assets and reduce a system’s sus­cep­ti­bil­i­ty to adverse con­se­quences from threats and oth­er hazards—all in the con­text of an organization’s tol­er­ance for risk.”

The secu­ri­ty engi­neer­ing con­sid­er­a­tions in NIST Spe­cial Pub­li­ca­tion 800–160, Ross says, give orga­ni­za­tions “the capa­bil­i­ty to strength­en their sys­tems against cyber attacks, lim­it the dam­age from those attacks if they occur and make their sys­tems survivable.”

The NIST wel­comes pub­lic com­ment about NIST Spe­cial Pub­li­ca­tion 800–160, titled Sys­tems Secu­ri­ty Engi­neer­ing: Con­sid­er­a­tions for a Mul­ti­dis­ci­pli­nary Approach in the Engi­neer­ing of Trust­wor­thy Secure Sys­tems. Com­ments can be sent to until July 1.

More sto­ries relat­ed to cyber standards:
Few adopt NIST cyber­se­cu­ri­ty guide­lines, but that could change
Steps for using Uncle Sam’s frame­work for cybersecurity
Indus­try experts weigh in on Obama’s cyber­se­cu­ri­ty blueprint