Food for Thought: How the NIST Cybersecurity Framework Affects Government

FedTech Magazine gives us a detailed look at the National Institute of Standards and Technology (NIST) framework and how it affects government too.

According to the article, “research by Lloyds of London insurer Aegis London warns of a shift in the cyberthreat landscape, away from typical data breaches to attacks on the operational systems that support global critical infrastructure.”

Two high-profile incidents from 2012 highlight the issue. One was a cyber attack from the Middle East on major U.S. banks and the other was the wiping of 30,000 hard drives at Saudi Aramco, an oil and gas firm.

“Our sense is that these incidents are increasing in number,” Andy Ozment, assistant secretary of the Office of Cybersecurity and Communications at the Department of Homeland Security (DHS), told FedTech.

“As infrastructure operators pay more attention and work with our teams, they’re discovering there have been bad guys on their networks already, often for a very long time,” said Ozment.

After attempts to pass legislation about this threat were made, President Obama issued an executive order, directing NIST to create a “voluntary, risk-based cybersecurity framework of industry standards and best practices to help critical infrastructure-related organizations address their cybersecurity risks.” This resulted in NIST’s Framework for Improving Critical Infrastructure Cybersecurity.

“The framework is meant to be a tool for using an organization’s business drivers to guide cybersecurity activities as part of an overall enterprise risk management strategy,” Kevin Stine, manager of NIST’s Security Outreach and Integration Group, told FedTech.

As the article tells us, “the framework covers 16 infrastructure sectors – including public health, transportation, finance, communications, energy and manufacturing – with different needs. Its broad scope has received varying reviews, but there’s little question the framework will have an impact on the way federal agencies address cybersecurity issues, whether across their own infrastructures or those industries with which they interface.”

However, according to the article, government officials are only now beginning to examine how it will coexist with other cybersecurity controls and standards that agencies must follow.

“The federal government is in the process of identifying the best approach to aligning the existing cybersecurity approach with the NIST framework,” White House spokeswoman Laura Lucas Magnuson told FedTech.

The article tells us that NIST suggests four ways an organization could use the framework:

  • To conduct a basic review of cybersecurity practices
  • To establish/improve a cybersecurity program
  • To communicate cybersecurity requirements to stakeholders
  • To identify new or revised references for solutions

According to FedTech, “analysts say the framework is a useful tool for any agency or organization that needs a systematic strategy for addressing risks, both internally and with partners.” This is all thanks to its broad focus.

Stine agrees. He told FedTech, “Just about any organization can see itself in the framework and use it to identify areas in which it can improve its cybersecurity efforts to better manage those risks.”

Certain state governments, including Pennsylvania and Virginia, have already discussed plans to adopt the NIST framework.

Jeff Greene, former senior counsel to the Senate Homeland Security and Governmental Affairs Committee and current senior policy counsel for Symantec, shared his thoughts with FedTech.

“I think we’ll see wide adoption because it has the NIST seal of approval and the process had so much engagement that critical infrastructure participants feel a sense of ownership and investment. We’ve even been using it as a lens to examine everything we do. Smaller organizations will find it invaluable for their own security strategies.”

To conclude, FedTech tells us “the goal is for the public and private sectors to adopt a similar, agreed-upon approach to cybersecurity. And agencies will play an important role in making it happen.”


For a more in-depth read, we encourage you to take a look at the original FedTech article: