Organizations large and small across a range of industries can benefit from strengthening the resilience of their critical infrastructure through cybersecurity activities as part of their overall risk management plan. Not only does this protect their own financial and other business interests, but also contributes to the overall strength and reliability of the economy, public safety, and national security in the United States.

What are NIST standards?

The National Institute of Standards and Technology, a division within the U.S. Department of Commerce that promotes innovation and industrial competitiveness, recommends a set of vital cybersecurity standards for information systems, in addition to developing Federal Information Processing Standards (FIPS).

Standards, guidance documents, and recommendations from the NIST provide a useful security framework for federal agencies, as well as any organizations they contract with that handle controlled unclassified information (CUI). The NIST is taking steps to clarify standards as individuals and groups become increasingly overwhelmed by the complex and ever-changing landscape of cybersecurity.

Current standards can be found in NIST Special Publication 800-171, a document titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” that lists more than 100 requirements designed to protect confidentiality across a range of industries. The requirements, according to NIST.gov, apply “to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components.”

What is an example of an NIST standard?

One NIST standard that has been widely adopted, although it is voluntary, is the Framework for Improving Critical Infrastructure Cybersecurity—better known as the Cybersecurity Framework (www.nist.gov/cyberframework). The framework, which has undergone a couple revisions throughout the past few years, provides a set of guidelines, standards and best practices that all are aimed at helping organizations reduce risk and better manage their cybersecurity.

The framework helps guide agencies and companies in assessing their current cybersecurity activities and overall cybersecurity posture; aligning those activities to capitalize on their unique resources, business requirements, and risk tolerances; choosing which approach to take in managing cybersecurity risk; and setting goals and milestones for their target state of cybersecurity.

According to the most recent version of the Cybersecurity Framework, issued in April 2018, it does not simply give “a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure.” Because different organizations face a variety of threats and vulnerabilities, their approach to cybersecurity often differs. The NIST framework is designed to help these varying organizations customize the best practices they are able and willing to adopt to secure their critical infrastructure.

What are the benefits of compliance?

Agencies are able to select the practices and standards that best fit their business model and preferred approach to risk management. Particularly in the Washington, D.C., area, where many organizations contract with the U.S. Department of Defense (DoD), General Services Administration (GSA), or other federal agencies, NIST compliance is crucial. In fact, all DoD contractors that transmit, process, or store CUI are expected to meet the Defense Federal Acquisition Regulation Supplement (DFARS), which are minimum security standards used to safeguard information systems that host sensitive data. Otherwise, those organizations risk losing their DoD contracts. DFARS rules and clauses for cybersecurity can be found here.

Organizations at both the contractor and subcontractor level that should be in compliance with NIST standards include but are not limited to:

  • Government staffing firms
  • Procurement services companies
  • Manufacturers that sell to the government
  • Manufacturers that sell to government suppliers
  • Higher learning institutions, such as universities
  • Research institutions
  • Consulting companies
  • Service providers

The NIST’s goal is to help businesses and organizations secure information that is sensitive but not classified. The benefits of implementing best practices recommend by the NIST include:

  • Protecting critical infrastructure and information from both insider threats and general human negligence
  • Protecting critical infrastructure from cybersecurity fatigue, or the growing weariness online users are experiencing as a result of relentless cybersecurity warnings
  • Distributing sensitive material to the correct recipients properly and safely
  • Helping IT teams deal with new sources of risk, malware types, and attack vectors
  • Laying the foundational protocol to ensure organizations meet the requirements of other regulations, such as the Federal Information Management Act (FISMA), the Sarbanes-Oxley Act of 2002 (SOX), and the Health Insurance Portability and Accountability Act of 1996 (HIPPA)

How long does the process take?

For better or worse, NIST compliance is an ongoing, repeat process that includes continuously assessing an organization’s state of cybersecurity, determining what improvements could be made, and selecting which new practices should be implemented as part of the organization’s overall risk management strategy. Also, as organizations make new hires or incorporate new information systems, they must take steps to ensure infrastructure and personnel continue to be in compliance when brought online. Finally, organizations must enforce their policies throughout their business infrastructure.

The importance of NIST compliance consulting

While NIST compliance and cybersecurity in general can seem daunting for some organizations, technology consultants are designed to help them evaluate their compliance with control requirements and select the NIST practices that are required, recommended, and/or which fit their specific needs. Washington, D.C.-based Intelice provides NIST compliance consulting services to organizations throughout the metro area, Maryland, and Virginia that assists them in becoming more educated about NIST standards and progressively achieving NIST compliance.