What is NIST?
A better question would be, “Who is NIST?”. NIST stands for the National Institute of Standards and Technology, a federal agency and department of the United States Department of Commerce.
Congress established the agency to remove a major challenge to U.S. industrial competitiveness in 1901. Today, NIST measurements support the smallest of technologies to the largest and most complex of human-made creations. Learn more about NIST and everything else they do.
NIST Cyber Security Framework (CSF)
The NIST Cyber Security Framework is a risk management framework of cybersecurity controls. The framework is voluntary guidance (based on existing standards, guidelines, and practices) for critical infrastructure organizations to better manage and reduce cybersecurity risk.
To clarify even further, the CSF does not recommend new technologies, standards, or concepts; rather, it leverages and integrates cybersecurity practices developed by organizations like NIST and ISO (International Standards Organization).
At the “core” of the NIST CSF are 5 functions – Identify, Protect, Detect, Respond and Recover. These five functions provide the “strategic” view of the lifecycle of an organization’s management of cybersecurity risk.
Each Function is further divided into categories tied to programmatic needs and particular activities. In addition, each category is broken down into subcategories that point to informative references. Those references cite specific sections of standards, guidelines, and practices that illustrate a method to achieve the outcomes associated with each subcategory.
You can find the official NIST Cyber Security Framework here.
Risk Management Strategy
Awareness and Training
Information Protection Processes and Procedures
|Detect||Anomalies and Events
Security Continuous Monitoring
NIST Special Publication 800-53: Security and Privacy Controls for Information Systems and Organizations
Beyond the general framework provided by the NIST CSF, there are other publications, or versions, that apply to certain categories of organizations.
NIST Special Publication 800-53 provides security and privacy controls for all U.S. Federal Information Systems (except those related to national security).
NIST published Special Publication 800-53 to help federal agencies implement the Federal Information Security Management Act of 2002 (FISMA). If you’re not caught up, learn more about FISMA here. The security rules cover 18 areas, including access control, incident response, business continuity and disaster recovery.
So, who needs to follow this specific framework? Government agencies must reach FISMA compliance, and NIST SP 800-53 is the best way to go about doing it. Therefore, Government agencies should use this framework.
And, while it is true that government agencies house a lot of sensitive information, if you work with the US Government that means you may be housing this sensitive information in your network as well. Nonfederal agencies house a lot of Controlled Unclassified Information (CUI) and that leads us into the next topic.
Cyber Security Requirements for Government Contractors
NIST Special Publication 800-171 – Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. A new rule recently published by the US Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) will require federal government contractors to apply 15 basic cybersecurity safeguarding requirements and procedures to protect their information systems. All safeguarding requirements are based on security requirements published in NIST CSF SP 800-171 – Protecting controlled unclassified information in non-federal systems and organizations.
On December 30, 2015, the U.S. Department of Defense (DoD) published a three-page interim rule to the Defense Federal Acquisition Regulation Supplement (DFARS). This new interim rule gives government contractors the deadline of December 31, 2017 to have implemented NIST SP 800-171 security controls.
Here is the exact requirement, taken from the publication:
(ii)(A)The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at firstname.lastname@example.org, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.
Notwithstanding the 12/31/2017 phase-in period, contractors must still notify DoD within 30 days after contract award “of any security requirement specified by NIST SP 800-171 not implemented at the time of contract award”.
Specification for liability protections for certain DoD contractors when reporting cyber incidents can be found here.
Something that stands out in this new “policy” is the Incident Reporting triggered by the discovery of a “cyber incident” which is defined broadly as a network compromise, and “adverse effect” or even just a “potentially adverse effect” on either the network, the covered contract information or the ability to execute against “operationally critical” contract requirements.
In practice, this means that contractors aren’t merely required to disclose network intrusions, but also attempted intrusions, regardless of whether systems or data were compromised.
Upon discovery of a cyber incident, you’ll be required to do the following things:
- Report the incident to the DoD within 72 hours of discovery, through http://dibnet.dod.mil as well as to the prime contractor (is applicable) as soon as practical.
- Investigate to determine whether any covered information was compromised.
- Preserve an image of all affected systems, plus all relevant logging data, for at least 90 days from the submission of the incident report.
- Submit the DoD any malware discovered and isolated, per instructions provided by the Contracting Officer.
The requirements in this rule, when compared to other recently released rules around information security requirements, are fairly reasonable and require much less effort. As an example, contractors required to comply with DFARS 252.204-7012 must implement 109 controls from NIST SP 800-171, compared to the 17 controls that the new rule requires.
How to stay up-to-date
NIST is not a requirement and use of the framework is voluntary, therefore you cannot actually be “compliant”. A comment posted on the Federal Trade Commission’s website summed it up perfectly:
The NIST CSF should never become a compliance document, as it will [define] the minimum that most organizations will choose to secure their enterprise. Instead, as a risk management framework, organizations are challenged to evaluate their approaches to the 5 functional areas, select implementation controls that fit their budget and risk appetite, and then continuously monitor their threat landscape to determine when changes are necessary.
Our goal with this blog post is to clarify some of the confusion about NIST and the Cybersecurity Framework. Keep up with the latest news from NIST on the Cyber Security Framework here.
If you have any questions as a government agency or contractor, and looking to see how your organization measures up, give us a call and ask about our NIST Assessment!