NIST Issues ‘Foundational Profile’ for Secure GPS Use

Blue Planet Studio/

An executive order instructed the Commerce Department to produce profiles—plural—that sector-specific agencies could use to develop contractual language on the issue. 

The National Institute of Standards and Technology released new guidance based on its cybersecurity framework toward satisfying an executive order on securely using position, navigation and timing services like the Global Positioning System.

“Formally titled Foundational PNT Profile: Applying the Cybersecurity Framework for the Responsible Use of Positioning, Navigation and Timing (PNT) Services (NISTIR 8323), the document,” NIST said in a press release Thursday, “is part of NIST’s response to the Feb. 12, 2020, Executive Order 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing Services.”

The GPS that facilitates popular mapping tools is only one way to use PNT services. The particular arrangement of powerful satellites and clocks that make up the technology also enables split-second financial transactions, microsurgeries and a host of other applications. But it is vulnerable to hackers who can jam or spoof the precise signals it relies on and is shared with other governments, some of which the U.S. considers adversarial.

The executive order instructed the secretary of the Commerce Department, where NIST is housed, to “develop and make available, to at least the appropriate agencies and private sector users, PNT profiles.”

“The PNT profiles,” it said, “will enable the public and private sectors to identify systems, networks, and assets dependent on PNT services; identify appropriate PNT services; detect the disruption and manipulation of PNT services; and manage the associated risks to the systems, networks, and assets dependent on PNT services.”

The profiles were to be ready one year after the order was issued. Sector-specific agencies would then use them to create, within 90 days, language to be included in contracts to improve the secure use of the technology by government vendors. But NIST read the directions differently.     

“The Executive Order (EO) directs the Department of Commerce to develop a PNT Profile that will address the four components of responsible use of PNT,” reads the final document NIST released Thursday. “[The profile] is intended to be a foundational set of guidelines. Sector-specific agencies (SSAs) and entities may wish to augment or further develop their own PNT cybersecurity efforts via full or partial implementation of the recommended practices in this document.” 

NIST’s interpretation of the order does fit with what an administration official told Nextgov at the time it was issued: The agency would “take the lead in developing a template for the profiles based on ‘a generic tailoring’ of the agency’s landmark 2014 cybersecurity framework.” 

A NIST spokesperson said the agency has not received any comments suggesting its actions don’t meet its obligations under the executive order and confirmed the agency does not intend to issue any additional profiles.

“NIST has created a ‘foundational Profile’ and it is the only one NIST will create, update and maintain over time,” the spokesperson said. “However, anyone is welcome to create a sector-specific profile using the NIST profile as a foundation.” 

When NIST issued a draft of the foundational guidelines last fall, some commenters flagged that the agency’s profile—based on its 2014 cybersecurity framework—didn’t match up with what the executive order called for. 

The comments came from officials at the Department of Transportation, including Karen Van Dyke, DOT’s director of position, navigation and timing. 

“Terminology consistent with EO 13905 is recommended,” Van Dyke wrote. “In EO 13905, ‘PNT profile means a description of the responsible use of PNT services—aligned to standards, guidelines, and sector-specific requirements—selected for a particular system to address the potential disruption or manipulation of PNT services.’ EO 13905 doesn't mention ‘cybersecurity’ a single time.”