recommended reading

NIST Reworks Cyber Guidelines for the Hacking Era

Maksim Kabakou/Shutterstock.com

The National Institute of Standards and Technology has rewritten federal cybersecurity standards for the first time in nearly a decade to address evolving smartphone vulnerabilities and foreign manipulation of the supply chain, among other new threats.

The 457-page government computer security bible, officially called "SP (Special Publication) 800-53," has not undergone a major update since its inception in 2005. That was long before the rise of advanced persistent threats -- infiltrations that play off human failings to linger in systems until finding sensitive data.

Agencies are not required to follow all the specifications, but rather choose among the protections that suit their operational environments, such as space in the case of NASA. 

Congressional reports indicate that foreign adversaries have attempted to corrupt the supply chain at some point between agency system design and operation to disrupt or spy on the government. To protect critical computer parts, the compendium recommends sometimes withholding the ultimate purpose of a technology from contractors by "using blind or filtered buys."

Agencies also should offer incentives to vendors that provide transparency into their processes and security practices, or vet the processes of subcontractors. 

NIST broaches the controversial approach to "restrict purchases from specific suppliers or countries," which U.S. technology firms, even those who have been hacked, say might slow installations. 

The new guidelines also cover the challenges of web-based or cloud software, insider threats and privacy controls. 

There are considerations specific to employees using personal devices for work, commonly referred to as BYOD, or bring your own device." Recommended restrictions include using cloud techniques to limit processing and storage activities on actual government systems.  NIST also advises that agencies consult the Office of the General Counsel regarding legal uncertainties, such as "requirements for conducting forensic analyses during investigations after an incident." 

Government experts from the intelligence, defense and national security communities began promulgating this incarnation of NIST standards in 2009. 

(Image via Maksim Kabakou/Shutterstock.com)

Threatwatch Alert

Network intrusion / Spear-phishing

Researchers: Bank-Targeting Malware Sales Rise in Dark Web Markets

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download

When you download a report, your information may be shared with the underwriters of that document.