recommended reading

Federal Standards Body Proposes Cyber Protocols for Private Sector


This story was updated to provide a comment from Ed Skoudis. 

The U.S. government has released preliminary guidelines for key industries on how to shield company systems from destructive attacks that could, for example, knock out electricity or halt transportation. 

The voluntary rubric, which was released Tuesday afternoon, homes in on the upper echelon of firms. The rationale being that information technology managers can't bolster security without financial and leadership support from top officials, such as board directors. 

In February, President Obama issued an executive order to protect networks running U.S. critical infrastructure that required the National Institute of Standards and Technology to produce final guidelines by November. NIST officials this week said they anticipate publishing official draft guidelines in October.  

Tuesday’s plan includes an information flow chart with five "functions" -- factors that affect companies’ vulnerability levels, including the degree to which firms know, prevent, detect, respond, and recover from threats. Each function includes sub-factors such as contingency planning for the recover category. There also is space to enter relevant industry standards and other existing guidelines, which are provided in a separate document released on Tuesday. 

Once a firm fills out the flowchart with applicable information, then there is another chart intended to illustrate the company's current security status.

Each of the five factors is broken down by job position: senior leader, business process manager and operations manager. For the contingency planning subcategory, a senior leader at a company with low-level security might write, for instance, "I'm not sure about redundancy for my critical data," while a firm with a stronger security posture might write, "There is a clear strategic plan in place for the protection of critical data and essential services." An operations manager who works at a firm with low-level security might write, "My organization's critical data is contained in one location." 

On Tuesday, NIST officials said the proposed practices reflect feedback from a request for public comment, along with two East Coast workshops and other industry outreach events. Next week, the institute will host a seminar in San Diego. There will be sessions for attendees to complete practice charts, according to NIST officials.   

Adam Sedgewick, NIST senior IT policy adviser, said in a statement, "we are pleased that many private-sector organizations have put significant time and resources into the framework development process.”

“We believe that both large and small organizations will be able use the final framework to reduce cyber risks to critical infrastructure by aligning and integrating cybersecurity-related policies and plans, functions and investments into their overall risk management,” he added.

The procedures are optional, and are seen as a stopgap measure until Congress can agree on computer security legislation. Many Democrats would like federal law to mandate that the government enforce such cybersecurity controls, while many Republicans object to regulations and would prefer the government offer companies better threat intelligence. Business leaders have said they need more insights into targeted viruses and more information-sharing among industry about computer breaches.

The order allows such communications, but not liability protections for companies that admit to infected systems.

Some critical infrastructure researchers applauded the administration's attempt to align cyber defenses nationwide.

The plan does "include a lot of moving parts, but information security itself is quite complex.  I think the NIST framework will be helpful for critical infrastructure providers to sort out what their current capabilities are, and what they need to do to have a well-thought-out approach to cyber security.  This is definitely a step forward," said Ed Skoudis, founder of Counter Hack Challenges, which constructed "CyberCity," a 3-D model town that agencies and businesses are using to practice securing  water filtration and other critical industry networks.

The original headline of this story incorrectly said NIST was proposing regulations. The guidelines are voluntary. 

(Image via dencg/

Threatwatch Alert

Network intrusion / Software vulnerability

Hundreds of Thousands of Job Seekers' Information May Have Been Compromised by Hackers

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.