Government continues to refine guidelines for creating more secure networks
NIST urges organizations to take a holistic approach to incorporating technology standards
By Gary Stoller, ThirdCertainty
Here’s something companies, especially small and midsize organizations, should take more advantage of: The federal government continues to hone guidelines on how to become more mature about security.
A recent example: the National Institute of Standards and Technology issued new guidance intended to help strengthen cybersecurity at banks, energy companies and other organizations critical to the nation’s infrastructure.
It came in the form of NIST’s update of Special Publication 800–160, which was first published in May 2014.
The second draft “takes things to a higher level,” says NIST Fellow Ron Ross. “We are bringing the cyber and physical worlds fully together.”
When announcing its latest draft, the agency explained that information technology “is deeply embedded in traditionally non-IT systems” such as automobiles, the electric grid and emergency response. But security is “largely incorporated as a last step” in many of these systems—“like a suit of armor over a vulnerable body.”
Integrate security early
The new draft will “help bake security into the very core,” by recommending ways “to incorporate time-tested security design principles and concepts” into the systems “at every step, from concept to implementation,” according to the NIST.
John Dickson, a principal at the Denim Group, a San Antonio-based software security consultant, says NIST cybersecurity guidance “will likely make things better over time.”
The guidance provides clarity in the marketplace that will assist organizations seeking “a gold standard” as a base for their security, Dickson says.
“NIST’s core security concepts will be embraced by other compliance or standards frameworks and result in one agreed-upon standard to reference, which is a good starting point,” he says.
Dickson says he sees an increasing number of adoptions of NIST standards among government agencies and organizations. “In my opinion,” he says, “a monolithic, singular NIST framework is a starting point, but not an end point.”
Other cybersecurity standards also have emerged that will help a broader number of businesses, particularly small and midsize ones.
“I like the White House framework laid out last year by the cybersecurity leaders within the executive branch,” Dickson says. “These voluntary standards are essentially a light version of the NIST standards and are much easier for small and medium-size businesses to use.”
Related coverage: Obama orders companies, government to share threat intelligence
NIST says its standards are “intended for anyone who designs, develops, builds, implements, organizes or sustains any type of system from smartphones to industrial and process control systems.”
Most favor having standards
A recent survey of more than 300 IT and security professionals in various industries revealed that only 29 percent of respondents said their organizations have adopted the NIST’s cybersecurity standards. However, 70 percent of respondents praised the standards as an industry best practice, according to the survey conducted by the Maryland-based cybersecurity company Tenable Network Security.
Tenable Network Security CEO Ron Gula said organizations have been hesitant to adopt the standards because of a high investment requirement and lack of a regulatory mandate.
The updated NIST standards address public comments the federal agency has received since its initial cybersecurity guidance was released in 2014.
To adopt the updated standards, business owners must value their assets, the NIST says, and use “security design principles and systems engineering processes to develop appropriate security requirements, architecture and design.”
The objective, according to the agency, is to implement “a security capability that can adequately protect these assets and reduce a system’s susceptibility to adverse consequences from threats and other hazards—all in the context of an organization’s tolerance for risk.”
The security engineering considerations in NIST Special Publication 800–160, Ross says, give organizations “the capability to strengthen their systems against cyber attacks, limit the damage from those attacks if they occur and make their systems survivable.”
The NIST welcomes public comment about NIST Special Publication 800–160, titled Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. Comments can be sent to firstname.lastname@example.org until July 1.
More stories related to cyber standards:
Few adopt NIST cybersecurity guidelines, but that could change
Steps for using Uncle Sam’s framework for cybersecurity
Industry experts weigh in on Obama’s cybersecurity blueprint