recommended reading

Federal Standards Body Proposes Cyber Protocols for Private Sector


This story was updated to provide a comment from Ed Skoudis. 

The U.S. government has released preliminary guidelines for key industries on how to shield company systems from destructive attacks that could, for example, knock out electricity or halt transportation. 

The voluntary rubric, which was released Tuesday afternoon, homes in on the upper echelon of firms. The rationale being that information technology managers can't bolster security without financial and leadership support from top officials, such as board directors. 

In February, President Obama issued an executive order to protect networks running U.S. critical infrastructure that required the National Institute of Standards and Technology to produce final guidelines by November. NIST officials this week said they anticipate publishing official draft guidelines in October.  

Tuesday’s plan includes an information flow chart with five "functions" -- factors that affect companies’ vulnerability levels, including the degree to which firms know, prevent, detect, respond, and recover from threats. Each function includes sub-factors such as contingency planning for the recover category. There also is space to enter relevant industry standards and other existing guidelines, which are provided in a separate document released on Tuesday. 

Once a firm fills out the flowchart with applicable information, then there is another chart intended to illustrate the company's current security status.

Each of the five factors is broken down by job position: senior leader, business process manager and operations manager. For the contingency planning subcategory, a senior leader at a company with low-level security might write, for instance, "I'm not sure about redundancy for my critical data," while a firm with a stronger security posture might write, "There is a clear strategic plan in place for the protection of critical data and essential services." An operations manager who works at a firm with low-level security might write, "My organization's critical data is contained in one location." 

On Tuesday, NIST officials said the proposed practices reflect feedback from a request for public comment, along with two East Coast workshops and other industry outreach events. Next week, the institute will host a seminar in San Diego. There will be sessions for attendees to complete practice charts, according to NIST officials.   

Adam Sedgewick, NIST senior IT policy adviser, said in a statement, "we are pleased that many private-sector organizations have put significant time and resources into the framework development process.”

“We believe that both large and small organizations will be able use the final framework to reduce cyber risks to critical infrastructure by aligning and integrating cybersecurity-related policies and plans, functions and investments into their overall risk management,” he added.

The procedures are optional, and are seen as a stopgap measure until Congress can agree on computer security legislation. Many Democrats would like federal law to mandate that the government enforce such cybersecurity controls, while many Republicans object to regulations and would prefer the government offer companies better threat intelligence. Business leaders have said they need more insights into targeted viruses and more information-sharing among industry about computer breaches.

The order allows such communications, but not liability protections for companies that admit to infected systems.

Some critical infrastructure researchers applauded the administration's attempt to align cyber defenses nationwide.

The plan does "include a lot of moving parts, but information security itself is quite complex.  I think the NIST framework will be helpful for critical infrastructure providers to sort out what their current capabilities are, and what they need to do to have a well-thought-out approach to cyber security.  This is definitely a step forward," said Ed Skoudis, founder of Counter Hack Challenges, which constructed "CyberCity," a 3-D model town that agencies and businesses are using to practice securing  water filtration and other critical industry networks.

The original headline of this story incorrectly said NIST was proposing regulations. The guidelines are voluntary. 

(Image via dencg/

Threatwatch Alert

Network intrusion / Spear-phishing

Researchers: Bank-Targeting Malware Sales Rise in Dark Web Markets

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.