Standards now cover BYOD and supply chain threats.
The National Institute of Standards and Technology has rewritten federal cybersecurity standards for the first time in nearly a decade to address evolving smartphone vulnerabilities and foreign manipulation of the supply chain, among other new threats.
The 457-page government computer security bible, officially called "SP (Special Publication) 800-53," has not undergone a major update since its inception in 2005. That was long before the rise of advanced persistent threats -- infiltrations that play off human failings to linger in systems until finding sensitive data.
Agencies are not required to follow all the specifications, but rather choose among the protections that suit their operational environments, such as space in the case of NASA.
Congressional reports indicate that foreign adversaries have attempted to corrupt the supply chain at some point between agency system design and operation to disrupt or spy on the government. To protect critical computer parts, the compendium recommends sometimes withholding the ultimate purpose of a technology from contractors by "using blind or filtered buys."
Agencies also should offer incentives to vendors that provide transparency into their processes and security practices, or vet the processes of subcontractors.
NIST broaches the controversial approach to "restrict purchases from specific suppliers or countries," which U.S. technology firms, even those who have been hacked, say might slow installations.
The new guidelines also cover the challenges of web-based or cloud software, insider threats and privacy controls.
There are considerations specific to employees using personal devices for work, commonly referred to as BYOD, or bring your own device." Recommended restrictions include using cloud techniques to limit processing and storage activities on actual government systems. NIST also advises that agencies consult the Office of the General Counsel regarding legal uncertainties, such as "requirements for conducting forensic analyses during investigations after an incident."
Government experts from the intelligence, defense and national security communities began promulgating this incarnation of NIST standards in 2009.