How NIST Standards Help Businesses Create and Enhance Their Security

By: Larry Loeb| - Leave a comment


In 2014, the National Institute of Standards and Technology (NIST) offered the first version of the NIST standards for cybersecurity. This framework provides a structure that organizations, regulators and customers can use to create, guide, and ultimately make their cybersecurity programs more comprehensive.

Critical Infrastructure Is the Impetus

These standards were a response to what was seen as a lack of security in the U.S. critical infrastructure sector. NIST stated at its initial release that the framework was created through a public-private collaboration, that it provides a common language to address and manage cyber risk in a cost-effective way based on business needs. It currently doesn’t place any additional regulatory requirements on businesses.

Further, NIST says that organizations can use the framework to determine their current level of cybersecurity, set goals for cybersecurity that are consistent with their business environment and establish a plan for improving or maintaining the strength of their cybersecurity.

As part of its framework, NIST offers a methodology designed to protect privacy and civil liberties. The organization wants to help businesses incorporate these kinds of protections into a comprehensive cybersecurity program. And it may be that just being aware of the need for such protections, as echoed by NIST, will serve as a wakeup call to enterprises that need it.

Any new journey requires a direction in which to proceed, of course. As a whole, the framework encourages an organization to conduct a sweeping self-analysis so that it can identify a desired state of security and devise a path to get there.

The Direction

The three main elements of the framework are the framework core, tiers and profiles.

  1. The core presents five vital functions — identify, protect, detect, respond and recover — that are always needed in a successful cybersecurity program. You may be able to add other enterprise-specific functions, but these are the most important.
  2. The tiers denote the extent to which an organization’s cybersecurity risk management will meet the goals that are laid out in the framework. They range from informal, reactive responses to agile and risk-informed. Just like what happens at the average enterprise’s helpdesk.
  3. The profiles help organizations progress from a current level of cybersecurity sophistication to a “target improved state” that meets business needs.

Change Happens

NIST has shown that the framework parts can change as needed. For instance, it has strongly advised that an SMS text sent as part of a two-factor authorization effort was the wrong way to go. This caused some dissent over at the Social Security Administration, seeing as how they had just gone the SMS route for authentication and authorization on their site. They had to write all sorts of letters proving they weren’t being disingenuous in their advice.

But NIST is right. A phone is not (and probably never has been) a secure channel. Man-in-the-middle (MiTM) exploit boxes abound. So transmitting in the clear any code that needs to be kept secure makes it possible for the security outcome to eventually fail.

NIST had the voice to call out a bad practice and effect a real change. They got something done, here. Not bad at all.

Topics: , , , ,