New cyber security requirements for federal and nonfederal agencies. Here we take a moment to clarify some things.
If you know what the NIST Cyber Security Framework is, or have at least heard the term pop up, it might affect your organization. Keep reading this post to learn more about NIST and the Cybersecurity Framework.
Learn about the Defense Federal Acquisition Regulation Supplement (DFARS) cyber security requirements here. This is a requirement for defense contractors.
What is NIST?
NIST stands for the National Institute of Standards and Technology, a federal agency and department of the United States Department of Commerce. Fun fact: it is one of the nation’s oldest physical science laboratories!
Congress established the agency to remove a major challenge to U.S. industrial competitiveness in 1901.
Today, NIST measurements support the smallest of technologies to the largest and most complex of human-made creations.
Learn more about NIST and everything else they do!
The NIST Cybersecurity Framework
To put it simply, the NIST CSF is a risk management framework of cybersecurity controls.
The framework is VOLUNTARY guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk.
To clarify even further, the CSF does not recommend new technologies, standards, or concepts; rather, it leverages and integrates cybersecurity practices developed by organizations like NIST and ISO (International Standards Organization).
The “Core” of the NIST CSF are the 5 functions – Identify, Protect, Detect, Respond and Recover. These five functions provide the “strategic” view of the lifecycle of an organization’s management of cybersecurity risk.
Risk Management Strategy
Awareness and Training
Information Protection Processes and PRocedures
|Detect||Anomalies and Events
Security Continuous Monitoring
“Each function is further divided into categories tied to programmatic needs and particular activities. In addition, each category is broken down into subcategories that point to informative references. Those references cite specific sections of standards, guidelines, and practices that illustrate a method to achieve the outcomes associated with each subcategory.”
If you have questions about NIST CSF, they provide a great resource for common Q&A. Check it out here.
The Federal Trade Commission wrote an article about the NIST Cybersecurity Framework explaining everything in greater detail. Find the article here.
NIST SP 800-53: Security and Privacy Controls for Information Systems and Organizations
NIST Special Publication 800-53 provides security and privacy controls for all U.S. Federal Information Systems (except those related to national security).
NIST published Special Publication 800-53 to help federal agencies implement the Federal Information Security Management Act of 2002 (FISMA). If you’re not caught up, learn more about FISMA here.
The security rules cover 18 areas, including access control, incident response, business continuity and disaster recovery.
At this point in time, NIST SP 800-53 has been revised 4 times and is now on the 5th revision.
So, who needs to follow this specific framework? Government agencies must reach FISMA compliance, and NIST SP 800-53 is the best way to go about it. Therefore, Government agencies should use this framework.
And, while it is true that government agencies house a lot of sensitive information, if you work with the US Government that means you may be housing this sensitive information in your network as well. Nonfederal agencies house a lot of Controlled Unclassified Information (CUI) and that leads us into the next topic.
New Cybersecurity Requirements for Government Contractors
NIST SP 800-171 – Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
A new rule recently published by the US Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) will require federal government contractors to apply 15 basic cybersecurity safeguarding requirements and procedures to protect their information systems. All safeguarding requirements are based on security requirements published in NIST CSF SP 800-171 – Protecting controlled unclassified information in non-federal systems and organizations. ℹ
On December 30, 2015, the U.S. Department of Defense (DoD) published a three-page interim rule to the Defense Federal Acquisition Regulation Supplement (DFARS). This new interim rule that gives government contractors the deadline of December 31, 2017 to have implemented NIST SP 800-171 security controls.
Here is the exact requirement, taken from the publication:
(ii)(A)The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at email@example.com, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.
Notwithstanding the 12/31/2017 phase-in period, contractors must still notify DoD within 30 days after contract award “of any security requirement specified by NIST SP 800-171 not implemented at the time of contract award”.
Specification for liability protections for certain DoD contractors when reporting cyber incidents can be found here.
Something that stands out in this new “policy” is the Incident Reporting triggered by the discovery of a “cyber incident” which is defined broadly as a network compromise, and “adverse effect” or even just a “potentially adverse effect” on either the network, the covered contract information or the ability to execute against “operationally critical” contract requirements. In practice, this means that contractors aren’t merely required to disclose network intrusions, but also attempted intrusions, regardless of whether systems or data were compromised.
- Report the incident to the DoD within 72 hours of discovery, through http://dibnet.dod.mil as well as to the prime contractor (is applicable) as soon as practical.
- Investigate to determine whether any covered information was compromised.
- Preserve an image of all affected systems, plus all relevant logging data, for at least 90 days from the submission of the incident report.
- Submit the DoD any malware discovered and isolated, per instructions provided by the Contracting Officer.
The requirements in this rule, when compared to other recently released rules around information security requirements, are fairly reasonable and require much less effort. As an example, contractors required to comply with DFARS 252.204-7012 must implement 109 controls from NIST SP 800-171, compared to the 17 controls that the new rule requires.
NIST is not a requirement, and therefore you cannot actually be "compliant". A comment posted on FTC's website summed it up perfectly:
The NIST CSF should never become a compliance document, as it will [define] the minimum that most organizations will choose to secure their enterprise. Instead, as a risk management framework, organizations are challenged to evaluate their approaches to the 5 functional areas, select implementation controls that fit their budget and risk appetite, and then continuously monitor their threat landscape to determine when changes are necessary.
Our goal with this blog post is to clarify some of the confusion about NIST and the Cybersecurity Framework. If you're a government agency or contractor and looking to see how your organization measures up, give us a call and ask about our NIST Assessment today, or learn more about our NIST Assessment here!