Origin Story: Cybersecurity Guidelines
In the past year, many of the topics of the Data Dump column have dealt with passwords, data storage in the cloud, ransomware, and security breaches. Those articles contained security standard information to protect you and your business But do you know the origin of where the security guidelines and advice come from? It comes from a United States Department of Commerce agency called NIST.
NIST, founded in 1901 as The National Bureau of Standards, is the government acronym for the National Institute of Standards and Technology. NIST has many laboratories that range from manufacturing, energy, health, forensics, quantum science, and of course, cybersecurity. NIST is a non-regulatory agency within the federal government, meaning that they cannot enforce any other department, agency, or organization to comply with the guidelines they create.
I had the privilege of going to NIST headquarters in Gaithersburg, MD in February of this year to attend an industry day. I quickly learned how much they are involved in. This group of scientists are on the frontlines of cyber-everything.
The NIST cybersecurity team was looking for a team of contractors experienced in developing standards and guidelines in the following areas:
- Applied Cybersecurity (for example, Cyber-Physical Systems, Public Safety Communications, Health Information Technology, Electronic Voting, Critical Infrastructure, and Federal Agency Cybersecurity)
- Information and Communications Technology Supply Chain Risk Management
- Cybersecurity Awareness, Training, Education, and Workforce Development
- Cloud Computing and Virtualization
- Mobile Security
- Network and Internet Security
- Organizational and System Risk Assessment and Management
- Software and application development, application modeling
- Privacy engineering and risk management
- Cybersecurity and privacy in Health Information Technology (HIT) issues
- Software and application development, application modeling support
I know what you’re thinking now. Yeah, they do pretty much cover everything.
The result of the never-ending research is a document called Framework for Improving Critical Infrastructure Cybersecurity (ver 1.1), also referred to as the NIST Cybersecurity Framework (CSF).
The NIST CSF does not contain hard and fast rules that everyone needs to abide by. Rather, they are guidelines that other agencies turn into enforceable rules. An example would be a NIST guideline saying you should backup your information periodically. But an organization following the guideline would define the exact requirements for backing up their data, such as what is backed up, how long to keep it, and how frequently a backup is scheduled.
The advantage of having guidelines is that guidelines can be scaled to fit organizations of any size and budget. This gives technology professionals a common reference document to pull from. A company like Microsoft or the Department of Defense will have teams of people just to manage backups. While our company, managing a small business in Culpeper, will only need one or two people to handle the same sort of task. Both types of companies would implement identical sets of principles.
The second biggest takeaway from my NIST industry day was they must be right, no matter what. Every presenter that day started with the same thing; accuracy is the most crucial factor when looking for additional contractors, not price. The research they do on daily basis has global impact and is constantly changing. When doing scientific research on cybersecurity critical infrastructure, such as the electrical grid, there is no room for error.
If you are curious and would like to check out the NIST CSF document head over to: https://www.nist.gov/topics/cybersecurity
Its 61 pages of policy goodness.
TEASER: Next month I will be profiling a startup company that has developed innovative technology to expand fiber and broadband internet at a much cheaper cost. And they are relatively local!