recommended reading

NIST Reworks Cyber Guidelines for the Hacking Era

Maksim Kabakou/Shutterstock.com

The National Institute of Standards and Technology has rewritten federal cybersecurity standards for the first time in nearly a decade to address evolving smartphone vulnerabilities and foreign manipulation of the supply chain, among other new threats.

The 457-page government computer security bible, officially called "SP (Special Publication) 800-53," has not undergone a major update since its inception in 2005. That was long before the rise of advanced persistent threats -- infiltrations that play off human failings to linger in systems until finding sensitive data.

Agencies are not required to follow all the specifications, but rather choose among the protections that suit their operational environments, such as space in the case of NASA. 

Congressional reports indicate that foreign adversaries have attempted to corrupt the supply chain at some point between agency system design and operation to disrupt or spy on the government. To protect critical computer parts, the compendium recommends sometimes withholding the ultimate purpose of a technology from contractors by "using blind or filtered buys."

Agencies also should offer incentives to vendors that provide transparency into their processes and security practices, or vet the processes of subcontractors. 

NIST broaches the controversial approach to "restrict purchases from specific suppliers or countries," which U.S. technology firms, even those who have been hacked, say might slow installations. 

The new guidelines also cover the challenges of web-based or cloud software, insider threats and privacy controls. 

There are considerations specific to employees using personal devices for work, commonly referred to as BYOD, or bring your own device." Recommended restrictions include using cloud techniques to limit processing and storage activities on actual government systems.  NIST also advises that agencies consult the Office of the General Counsel regarding legal uncertainties, such as "requirements for conducting forensic analyses during investigations after an incident." 

Government experts from the intelligence, defense and national security communities began promulgating this incarnation of NIST standards in 2009. 

(Image via Maksim Kabakou/Shutterstock.com)

Threatwatch Alert

Accidentally leaked credentials / Software vulnerability

Cloudflare Bug Leaked Passwords, Dating Chats and Other Sensitive Info for Months

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.