What is NIST?

NIST stands for the National Institute of Standards and Technology, a federal agency and department of the United States Department of Commerce.

Congress established the agency to remove a major challenge to U.S. industrial competitiveness in 1901. Learn more about NIST and everything else they do.

NIST Cyber Security Framework (CSF)

The NIST Cyber Security Framework is a risk management framework. The framework is voluntary guidance (based on existing standards, guidelines, and practices) for critical infrastructure organizations to better manage and reduce cybersecurity risk.

The CSF does not recommend new technologies, standards, or concepts; it leverages and integrates cybersecurity practices developed by organizations like NIST and ISO (International Standards Organization).

At the “core” of the CSF are 5 functions – Identify, Protect, Detect, Respond and Recover. These five functions provide the “strategic” view of the life cycle of cybersecurity risk.

Each Function is further divided into categories tied to needs and particular activities. In addition, each category is broken down into subcategories that point to informative references. Those references cite specific sections of standards, guidelines, and practices that illustrate a method to achieve the outcomes associated with each subcategory.

You can find the official NIST Cyber Security Framework here.

Identify Asset Management
Business Environment
Risk Assessment
Risk Management Strategy
Protect Access Control
Awareness and Training
Data Security
Information Protection Processes and Procedures
Protective Technology
Detect Anomalies and Events
Security Continuous Monitoring
Detection Processes
Respond Response Planning
Recover Recovery Planning

NIST Special Publication 800-53: Security and Privacy Controls for Information Systems and Organizations

Beyond the general framework provided by the NIST CSF, there are other publications (versions) that apply to certain organizations.

NIST Special Publication 800-53 provides security and privacy controls for all U.S. Federal Information Systems (except those related to national security).

NIST published Special Publication 800-53 to help federal agencies implement the Federal Information Security Management Act of 2002 (FISMA). The security rules cover 18 areas, including access control, incident response, business continuity and disaster recovery.

So, who needs to follow this specific framework? Government agencies must reach FISMA compliance, and NIST SP 800-53 is the best way to go about doing it. Therefore, Government agencies should use this framework.

And, while it is true that government agencies house a lot of sensitive information, if you work with the US Government that means you may be housing this sensitive information in your network as well. Nonfederal agencies house a lot of Controlled Unclassified Information (CUI) and that leads us into the next topic.

Cyber Security Requirements for Government Contractors 

NIST Special Publication 800-171 – Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. A new rule recently published by the US Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) will require federal government contractors to apply 15 basic cybersecurity safeguarding requirements and procedures to protect their information systems. All safeguarding requirements are based on security requirements published in NIST CSF SP 800-171 – Protecting controlled unclassified information in non-federal systems and organizations.

On December 30, 2015, the U.S. Department of Defense (DoD) published a three-page interim rule to the Defense Federal Acquisition Regulation Supplement (DFARS). This new interim rule gives government contractors the deadline of December 31, 2017 to have implemented NIST SP 800-171 security controls.

Here is the exact requirement, taken from the publication:

(ii)(A)The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at osd.dibcsia@mail.mil, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.
Notwithstanding the 12/31/2017 phase-in period, contractors must still notify DoD within 30 days after contract award “of any security requirement specified by NIST SP 800-171 not implemented at the time of contract award”.

Specification for liability protections for certain DoD contractors when reporting cyber incidents can be found here.

Incident Reporting

Something that stands out in this new “policy” is the Incident Reporting triggered by the discovery of a “cyber incident” which is defined broadly as a network compromise, and “adverse effect” or even just a “potentially adverse effect” on either the network, the covered contract information or the ability to execute against “operationally critical” contract requirements.

In practice, this means that contractors aren’t merely required to disclose network intrusions, but also attempted intrusions, regardless of whether systems or data were compromised.

Upon discovery of a cyber incident, you’ll be required to do the following things:

  1. Report the incident to the DoD within 72 hours of discovery, through http://dibnet.dod.mil as well as to the prime contractor (is applicable) as soon as practical.
  2. Investigate to determine whether any covered information was compromised.
  3. Preserve an image of all affected systems, plus all relevant logging data, for at least 90 days from the submission of the incident report.
  4. Submit the DoD any malware discovered and isolated, per instructions provided by the Contracting Officer.

The requirements in this rule, when compared to other recently released rules around information security requirements, are fairly reasonable and require much less effort. As an example, contractors required to comply with DFARS 252.204-7012 must implement 109 controls from NIST SP 800-171, compared to the 17 controls that the new rule requires.

How to stay up-to-date

NIST is not a requirement and use of the framework is voluntary, therefore you cannot actually be “compliant”. A comment posted on the Federal Trade Commission’s website summed it up perfectly:

The NIST CSF should never become a compliance document, as it will [define] the minimum that most organizations will choose to secure their enterprise. Instead, as a risk management framework, organizations are challenged to evaluate their approaches to the 5 functional areas, select implementation controls that fit their budget and risk appetite, and then continuously monitor their threat landscape to determine when changes are necessary.

Our goal with this blog post is to clarify some of the confusion about NIST and the Cybersecurity Framework. Keep up with the latest news from NIST on the Cyber Security Framework here.

If you have any questions as a government agency or contractor, and looking to see how your organization measures up, give us a call and ask about our NIST Assessment!

Subscribe for monthly blog updates!