Origin Story: Cybersecurity Guidelines
In the past year, many of the topics of the Data Dump column have dealt with passwords, storing data in the cloud, ransomware, and security breaches. Those articles contained security standard information to protect you and your business But do you know the origin of where the security guidelines and advice come from? It comes from a United States Department of Commerce agency called NIST.
NIST, founded in 1901 as National Bureau of Standards, is the government acronym for the National Institute of Standards and Technology. NIST has many laboratories that range from manufacturing, energy, health, forensics, quantum science, and of course cybersecurity. NIST is a non-regulatory agency within the federal government. They cannot enforce any other department, agency, or organization to comply with the guidelines they create.
I had the privilege to go the NIST headquarters in Gaithersburg, MD in February of this year to attend one of their industry days. I quickly learned how much they are involved in. This group of scientists are on the frontlines of cyber-everything.
The NIST cybersecurity team was looking for a team of contractors experienced in developing standards and guidelines in the following areas:
- Applied Cybersecurity (for example, Cyber-Physical Systems, Public Safety Communications, Health Information Technology, Electronic Voting, Critical Infrastructure, and Federal Agency Cybersecurity)
- Information and Communications Technology Supply Chain Risk Management
- Cybersecurity Awareness, Training, Education, and Workforce Development
- Cloud Computing and Virtualization
- Mobile Security
- Network and Internet Security
- Organizational and System Risk Assessment and Management
- Software and application development, and application modeling
- Privacy engineering and risk management
- Cybersecurity and privacy in Health Information Technology (HIT) issues
- Software development, application development, and application modeling support
I know what you’re thinking now. Yeah, they do pretty much cover everything.
The result of the never-ending research is a document called Framework for Improving Critical Infrastructure Cybersecurity (ver 1.1), also referred to as the NIST Cybersecurity Framework (CSF).
The NIST CSF are not hard and fast rules that everyone needs to abide by. They are guidelines that other agencies turn into enforceable rules. An example would be a NIST guideline saying you should backup your information periodically. But an organization following the guideline would define the exact requirements for backing up their data, such as what is backed up, how long to keep it, and how frequently a backup is scheduled.
The advantage of having guidelines is that guidelines can be scalable to fit organizations of any size and budget. This gives us technology professionals a common reference document to pull from. A company like Microsoft or the Department of Defense will have teams of people just to manage backups. While our company managing a small business in Culpeper will only need one or two people to handle the same sort of task, but both use the same set of principles.
The second biggest takeaway from my NIST industry day was they must be right, no matter what. Accuracy over speed. Every presenter that day speaking started with the same thing. Price was not the most crucial factor when looking for additional contractors. The need to be accurate was the most important. The research they do on daily basis has global impact and is constantly changing. When doing scientific research on cybersecurity critical infrastructure, such as the electrical grid, there is no room for error.
If you are curious and would like to check out the NIST CSF document head over to: https://www.nist.gov/topics/cybersecurity
Its 61 pages of policy goodness.
TEASER: Next month I will be profiling a startup company that has developed innovative technology to expand fiber and broadband internet at a much cheaper cost. And they are relatively local!