NIST Security Noise
June 29, 2017
Shah Sheikh (1294 articles)
Share

NIST Security Noise

There is quite a bit of NIST security noise that should not be dismissed. Whether you are a federal agency or not, NIST has significant meaning for you.

The National Institute of Standards Technology (NIST) is a lab and federal non-regulated agency organization that offers guidance to promote innovation and industrial competitiveness.

When it comes to cyber security, NIST has already offered specific guidelines and frameworks. Here are some examples:

NIST SP 800-53 for Security Controls – A mandate for all federal agencies that’s becoming a popular standard in non-federal organizations.
NIST SP 800-171 for Security Controls – Based on 800-53 for non-federal entities that handles sensitive Controlled Unclassified Information (CUI)
NIST Cyber Security Framework – A voluntary, risk-based cyber security guideline. It offers a common language to work across departments and industries. The framework was recently updated in January 2017 with new details on managing cyber supply chain risks, clarifying key terms, and introducing measurement methods for cyber security. Core to the framework is its five key functions set forth below.

FEDERAL NIST MANDATES CONTINUE WITH A NEW SHERIFF
The increased focus on NIST comes from a variety of angles.
In March, the federal House science committee passed the NIST Cybersecurity Framework, Assessment and Auditing Act, which includes a section that expands NIST’s role from offering guidance to auditing agency compliance. This means NIST will no longer be a “non-regulating” agency.
This act does assign audit responsibilities to an agency that prides itself on setting primarily advisory standards. Agencies are still required to report back by this summer on their FISMA NIST progress.

NIST MANDATE: ORGANIZATIONS DOING BUSINESS WITH THE FEDERAL GOVERNMENT
Another recent big call out for NIST is the pending December 2017 NIST 800-171 deadline for non-federal entities that handle or process CUI from the federal governments. This is a call to action for organizations doing business with the government, including system integrators managing federal systems (that are not already covered by FISMA certification), college/university processing of federal funding info, healthcare organizations managing federal Medicare, groups doing federal-funded research, and many others.

NIST POPULARITY
NIST’s Cyber Security Framework is a very prominent security framework. Research shows that many non-federal markets are adopting it. Indeed, Gartner predicts by 2020 that 50 percent organizations will be using this framework. This aligns with other research such from HIMMS where 47 percent healthcare organizations are using it now.

Using the NIST framework facilitates a risk-based approach to cyber management. It can reduce the possibility of miscommunications between staff and other organizations that integrate with your cyber environments. It also heightens the awareness for cyber threats and accelerates the efforts to create an information security program.

Source | tripwire