It’s fair to say regulations from the National Institute of Standards and Technology (NIST) are a cornerstone to the security of our federal government: NIST documents set the standard for business operations in both the public and private sector, ranging from information security controls (SP 800-53) to cybersecurity practices (CSF). As time goes by, these documents are frequently updated, and keeping track of them can be difficult.
As we mentioned in a recent article, technology has a tendency to change faster than policy can keep up – but that doesn’t mean NIST won’t try. Every year, the agency works diligently to keep its standards current, seeking the advice of industry professionals to produce new documents ahead of future trends. With a new decade ahead of us, NIST is already hard at work, announcing new standards for IoT, privacy and much more.
To ensure your organization is prepared for the next generation of risk and compliance, keeping up with NIST’s activity is vitally important. Our staff is among the industry organizations that advise NIST, in this article, we’ll share five of the biggest updates to recently come from the nation’s foremost authority on Federal and commercial enterprise technology.
1. CMMC to Supplant SP 800-53 for DoD Contractors
The Cybersecurity Maturity Model Certification (CMMC) is by the far the biggest change to policy impacting federal partners in 2020. Although for now it mainly applies to contractors working with the DoD, that may change with time, and organizations should prepare before it goes into effect later this year.
CMMC has three major goals:
- Consolidate – and therefore supersede – multiple cybersecurity standards, including NIST documents SP 800-53 and SP 800-171, and several international standards like ISO 27001
- Prevent organizations from winning a contract until they can demonstrate cybersecurity preparedness
- Gauge the maturity of a company’s cybersecurity practices and processes, as they have been institutionalized
With five gradually escalating certification tiers, in some ways the CMMC will ease the burden of compliance for federal contractors. In other ways, it will raise the bar for what it means to be “compliant,” forcing organizations to take responsibility for risk and adopt a mindset of cybersecurity across its departments. As a military contractor ourselves, we too are adapting to comply.
2. Draft for IoT Standards
The IoT security gap remains one of the greatest threats to security across federal agencies. Thanks to a lack of security controls from IoT vendors – and a lack of awareness from organizations – most IoT devices suffer from multiple vulnerabilities that can be used for espionage, data theft and much more.
In response, NIST has released a draft of IR 8259, titled Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline. The document contains policies focused on bringing IoT vendors in line with the security needs of their customers with controls like data protection, authorized software updates, End-of-Life policies and – most importantly – secure firmware designed to prevent unauthorized device access.
While compliance with IR 8259 is completely voluntary for the time being, a proposal to put NIST in charge of IoT standards remains before the House of Representatives, and may be passed at any time.
3. Privacy Framework
Federal contractors handle a lot of sensitive information, ranging from the personal data of their employees, customers and clients to levels of classified information from government agencies. As emerging data privacy laws seek to mitigate the risk of data incidents across public organizations, NIST is doing its part to prevent them in a federal context with the Privacy Framework (PF).
While the PF is only 39 pages long, it is jam-packed with advice and procedures to defend data security from threats both inside and outside of an organization. Divided into five basic sections, it is also aimed at helping organizations stay prepared for technology advancements and new data use cases:
- Identify risk to individuals
- Govern risk management priorities
- Control privacy risks at a granular level
- Communicate with stakeholders
- Protect data from “privacy events”
Version 1.0 of the PF was released at the end of last month, after being available for public comment since September of last year. It has already been adopted by organizations outside the government and should gain wider adoption in the coming months.
4. Supply Chain Risk Management Updates
Released in 2015, SP 800-161 has existed to mitigate risks in the information and communications technology (ICT) supply chain throughout federal organizations. Now, NIST seeks to update Supply Chain Risk Management Practices for Federal Information Systems and Organizations for a new decade, following changes in federal law regarding the acquisition of ICT products in 2019, especially from foreign vendors.
In its pre-draft call for comments, NIST stated its goal to “deliver a single set of cyber supply chain risk management practices to help Federal departments and agencies manage the risks associated with the acquisition and use of IT/operational technology products and services in a way that is functional and usable.”
The ICT supply chain can introduce risk to organizations through poor design, lack of security controls and even backdoors for espionage. Since changes to SP 800-161 will be accompanied by updates to NIST SP 800-37, and SP 800-53, all federal contractors will be affected, and they should stay informed as new information becomes available.
5. Standardization of Cybersecurity Regulations
Ever feel like there are just too many security regulations to keep up with? NIST agrees: in a draft report for the National Cybersecurity Online Informative References (OLIR) Program, it states “the fields of cybersecurity, privacy, and workforce have a large number of documents, such as standards, guidance, and regulations”.
Through the OLIR, NIST aims to simplify compliance procedures through a centralized online repository of cybersecurity legislation complete with cross-references between documents, and advice from subject matter experts. Depending on the extent of the OLIR, it could change the workflow of security professionals throughout the industry and make the adoption of new standards much easier.
NIST accepted public comments on its first draft until February 24th, but we don’t know how long it will be until OLIR goes into effect, but it’s safe to assume something will be up and running by the end of this year.
Every new update from NIST points to developing trends in technology and legislation. While keeping up with them can be difficult, the best way to stay ahead of regulations is to stay on top of risk.
Don’t stop at checking off boxes: in 2020, organizations who take responsibility for their business processes, IT infrastructure and insider threats will be the most likely to succeed on the road to full compliance.
Take stock of your IT assets and fix vulnerabilities before NIST tells you to: with a DoD background, our world-class experts in governance, pen testing and ethical hacking can help through technical consulting and federal security services. Contact us today!