The agency tasked with establishing cybersecurity standards and guidelines for all federal agencies—the National Institute of Standards and Technology (NIST)—published a major update to its standards late last month, titled NIST Special Publication 800‐53 “Security and Privacy Controls for Federal Information Systems and Organizations.” Described as the “most comprehensive update to the security controls catalog since its inception,” the publication aims to provide a “more holistic approach to information security and risk management by providing organizations with the breadth and depth of security controls necessary to fundamentally strengthen their information systems and the environment in which those systems operate.”
The foundational characteristic of these new guidelines is that they are simply baselines with the inherent flexibility to be adapted to the various information systems employed by all federal agencies as well as the diversity of scenarios an agency may confront when conducting its business. In other words, the publication does not establish strict standards so much as it outlines methods and procedures that an agency’s information security team should employ when crafting the agency’s individual protocols. The publication emphasizes that there is no one set of security controls that addresses all organizational security concerns in all situations.
The publication of the NIST’s latest standards should also be viewed in the context of recent moves by the Obama administration to incorporate cybersecurity standards into acquisition planning and contract administration. For example, in February 2013, President Obama issued Executive Order 13636 “Improving Critical Infrastructure Cybersecurity,” which, among other things, ordered a feasibility study by the Secretary of Defense, the Administrator of General Services and the FAR Council to “address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.” Indeed, some stakeholders in the government contract space have encouraged the federal government to avoid further incorporation of cybersecurity requirements into government contracts until such time as a comprehensive framework from the NIST was in place.
For government contractors, the guidelines are the hopeful first step towards a more uniform set of standards to be applied across agencies. Until now, agencies have adopted an ad hoc approach to cybersecurity, requiring contractors that do business with different agencies to sometimes adopt different policies and procedures based on specific agency and contractual requirements. The new guidelines may not only help establish uniformity, but also encourage agencies to create incentives for contractors to provide voluntary access to the contractor’s cybersecurity procedures.
The publication also states that it has applicability outside of federal agencies. Its target audience is described to include “commercial companies producing information technology products and systems, creating information security‐related technologies, or providing information security systems.” In short, any organization that has any information technology interactions with the federal government or has significant cybersecurity requirements of its own would do well to understand these guidelines and incorporate them into the organization’s cybersecurity protocols.
The NIST’s publication listed the following principles as foundational to any cybersecurity plan:
- Clearly articulated security requirements and security specifications;
- Well‐designed and well‐built information technology products based on state‐of‐the‐practice hardware, firmware and software development processes;
- Sound systems/security engineering principles and practices to effectively integrate;
- information technology products into organizational information systems;
- Sound security practices that are well documented and seamlessly integrated into the training requirements and daily routines of organizational personnel with security responsibilities;
- Continuous monitoring of organizations and information systems to determine the ongoing effectiveness of deployed security controls, changes in information systems and environments of operation, and compliance with legislation, directives, policies, and standards; and
- Information security planning and system development life cycle management.
According to the multitiered risk management approach articulated in the NIST’s publication, cyber intrusion risk must be addresses at the: i) organization level; ii) the mission/business process level; and iii) the information systems level. At Tier 1, an agency should prioritize its organizational missions/business functions and the inherent cybersecurity requirements therein, which will drive investment strategies and funding decisions. At Tier 2, the agency should determine the security categories of the information systems needed to execute the mission and incorporate those information security requirements into its processes. At Tier 3 the agency should incorporate the following six steps in a cycle: 1) categorize information systems; 2) select security controls; 3) implement security controls; 4) assess security controls; 5) authorize information systems; 6) monitor security controls.
While flexibility is the hallmark of the NIST’s approach to cybersecurity, the publication also encourages the use of common controls to the greatest extent possible. Accordingly, the publication recommends pushing the identification of common security controls to highest levels of organizational leadership. When decisions are made at higher‐levels, agencies will be able to identify the controls that impact multiple information systems and the greater interoperability will serve to enhance overall information security.
The NIST’s guidelines are a critical piece of the government‐wide effort to stay ahead of the cybersecurity curve. However, the ongoing effort is a fluid process—the NIST’s publication invites comments from interested parties and future revisions are anticipated. It is incumbent on government contractors and other industry stakeholders to become involved in the development of future standards to ensure an effective cybersecurity regime.