recommended reading

Federal Standards Body Proposes Cyber Protocols for Private Sector


This story was updated to provide a comment from Ed Skoudis. 

The U.S. government has released preliminary guidelines for key industries on how to shield company systems from destructive attacks that could, for example, knock out electricity or halt transportation. 

The voluntary rubric, which was released Tuesday afternoon, homes in on the upper echelon of firms. The rationale being that information technology managers can't bolster security without financial and leadership support from top officials, such as board directors. 

In February, President Obama issued an executive order to protect networks running U.S. critical infrastructure that required the National Institute of Standards and Technology to produce final guidelines by November. NIST officials this week said they anticipate publishing official draft guidelines in October.  

Tuesday’s plan includes an information flow chart with five "functions" -- factors that affect companies’ vulnerability levels, including the degree to which firms know, prevent, detect, respond, and recover from threats. Each function includes sub-factors such as contingency planning for the recover category. There also is space to enter relevant industry standards and other existing guidelines, which are provided in a separate document released on Tuesday. 

Once a firm fills out the flowchart with applicable information, then there is another chart intended to illustrate the company's current security status.

Each of the five factors is broken down by job position: senior leader, business process manager and operations manager. For the contingency planning subcategory, a senior leader at a company with low-level security might write, for instance, "I'm not sure about redundancy for my critical data," while a firm with a stronger security posture might write, "There is a clear strategic plan in place for the protection of critical data and essential services." An operations manager who works at a firm with low-level security might write, "My organization's critical data is contained in one location." 

On Tuesday, NIST officials said the proposed practices reflect feedback from a request for public comment, along with two East Coast workshops and other industry outreach events. Next week, the institute will host a seminar in San Diego. There will be sessions for attendees to complete practice charts, according to NIST officials.   

Adam Sedgewick, NIST senior IT policy adviser, said in a statement, "we are pleased that many private-sector organizations have put significant time and resources into the framework development process.”

“We believe that both large and small organizations will be able use the final framework to reduce cyber risks to critical infrastructure by aligning and integrating cybersecurity-related policies and plans, functions and investments into their overall risk management,” he added.

The procedures are optional, and are seen as a stopgap measure until Congress can agree on computer security legislation. Many Democrats would like federal law to mandate that the government enforce such cybersecurity controls, while many Republicans object to regulations and would prefer the government offer companies better threat intelligence. Business leaders have said they need more insights into targeted viruses and more information-sharing among industry about computer breaches.

The order allows such communications, but not liability protections for companies that admit to infected systems.

Some critical infrastructure researchers applauded the administration's attempt to align cyber defenses nationwide.

The plan does "include a lot of moving parts, but information security itself is quite complex.  I think the NIST framework will be helpful for critical infrastructure providers to sort out what their current capabilities are, and what they need to do to have a well-thought-out approach to cyber security.  This is definitely a step forward," said Ed Skoudis, founder of Counter Hack Challenges, which constructed "CyberCity," a 3-D model town that agencies and businesses are using to practice securing  water filtration and other critical industry networks.

The original headline of this story incorrectly said NIST was proposing regulations. The guidelines are voluntary. 

(Image via dencg/

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.