NIST Updates Cyber Resiliency Guide to Account for Increasingly Sophisticated Threats

DKosig/istockphoto

Public feedback on the more than 200-page document will be considered in the near future.

In a draft update to its flagship cyber resiliency publication released Thursday, experts from the National Institute of Standards and Technology offer a next-gen strategy for protecting critical information technology systems from their inside out.

The new, 264-page document—titled, “Draft NIST Special Publication 800-160, Volume 2, Revision 1, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach”—shifts away from typical, perimeter-based defense mechanisms. It provides insights and resources to help entities prepare for now seemingly inevitable ransomware attacks and other cyber threats. 

Those interested in offering comments and feedback on the guidance may do so between now and Sept. 20.

“Our customers are federal agencies, state and local governments, and private sector companies—both U.S.-based and overseas. Our customers come from all over the world and they will look at the draft document, and they will go through it with a fine-tooth comb,” Ron Ross, a NIST fellow and co-author of the draft, told Nextgov in an interview Thursday. “We put it out there and we get comments back within a 45-day period. Then, we take every one of those comments and we analyze them and we make improvements based on our customer feedback. The next publication of this document is going to be the final publication because the material is so important and we want to get it finalized as soon as we possibly can.”

Ross has worked in cybersecurity for more than 30 years. He’s been with NIST since 1997 and served more than 20 years in the Army prior to that. Currently, he operates within NIST’s Information Technology Laboratory. 

“I think public service has been almost a half-a-century for me,” he noted, “but I just love what I do.” 

And it shows. Ross underwent a full hip replacement a couple of weeks ago—right as this draft was coming to completion. He got home from the hospital knowing “this stuff had to move,” so he worked virtually from his recliner to help his small team see it through to an on-time publication. 

“I just turned 70 in March of this year and I could have been retired a long time ago—but I'm not going anywhere because I'm having fun,” he said. “And the mission couldn't be more important.”

This guidance is intended to be used in conjunction with previously released NIST publications associated with system life cycles and cybersecurity and as a supplement to an international standard. It serves as a “catalog or handbook,” officials note in the draft, to help organizations pinpoint cyber resilience outcomes drawn from a perspective that combines risk management and life cycle processes. They offer certain constructs—objectives, techniques, approaches, and design principles—which entities can adapt and apply to their new or existing environments. 

Ross and the other authors from NIST and not-for-profit organization MITRE, define cyber resiliency as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” Safeguards are essentially built and engineered into these systems. 

In the draft, the officials argue that such an approach is necessary for cyber-contested landscapes, such as those with advanced persistent threats. “Therefore, any discussion of cyber resiliency is predicated on the assumption that adversaries will breach defenses and that, whether via breaches or via supply chain attacks, adversaries will establish a long-term presence in organizational systems,” they wrote, adding that “the assumption of a sophisticated, well-resourced, and persistent adversary whose presence in systems can go undetected for extended periods is a key differentiator between cyber resiliency and other aspects of trustworthiness.”

Ross enjoys using analogies to help make sense of cybersecurity’s many complexities. The draft includes such a comparison to the human body, but to put this concept further into perspective, he offered another analogy about protecting a person’s home.

“In the past, if you can imagine, what we've tried to do is kind of like your house—you have a lock on the front door, maybe a deadbolt, maybe bars on windows—but you try to keep the bad guys out of your house,” he explained. Still, those external defenses may not always be strong enough to withstand such threats, particularly as they advance in sophistication. Once inside, the bad actors could target valuables like jewelry or coin collections, Ross said. 

“For this next generation of our defenses, we're still going to try to stop them—but what we're going to do in addition to that is bring in some additional things that can help limit the damage they can do once inside. And so, with the analogy of the house, let's say that the bad guys get in your front door. Now every room inside has either a vault or a safe,” he explained. “When we talk about cyber resiliency, we're talking about the ability to withstand and anticipate and absorb an attack, and have that system continue to operate, even if it's not in a perfect state.”

Ross also elaborated on several notable changes in the revamped document.

It includes updates to the controls that support cyber resiliency to ensure they are consistent with NIST SP 800-53, Revision 5, or the catalog for Security and Privacy Controls for Information Systems and Organizations. That document is one of NIST’s most downloaded publications, he noted, and this framework needed to reflect changes that came with an update to it last year. 

Further, this latest resiliency draft standardizes on a single threat taxonomy, which is essentially a classification system for various types of cyber threats. They use MITRE’s Adversarial Tactics, Techniques, and Common Knowledge, or ATT&CK framework. Officials also provide a comprehensive mapping and analysis of cyber resiliency implementation approaches and supporting NIST controls to the ATT&CK techniques.

“An adversary has a specific set of tasks they have to go through in order to be successful and the ATT&CK framework tries to break all of those elements down,” Ross explained. “There are massive numbers of tables that try to break down every type of adversarial tactic and technique. And then we try to propose the defenses that would be good for countering those particular techniques—so if the adversary does this, here's what we're going do to try to counteract that.”

NIST is set to distribute DevSecOps guidance and a major overhaul to its flagship systems security engineering publication later this year.

Ross said he hopes those, along with this draft, leave the public with a sense of optimism. 

“A lot of times when we're faced with these ongoing destructive cyberattacks, and we see the ransomware attacks, and we see the pipeline that got hit, and we see all the different tech companies and all that—it can get a little disheartening. The adversaries can wear you down. But you’ve got to be optimistic, and we have a tremendous number of tools and techniques now that are coming out from the NIST inventory,” he noted. “We can't just throw our hands up and say ‘we surrender.’ We are going to take those systems, and we're going to make them more cyber resilient so we can make the adversaries’ lives miserable.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.