Major Changes in Store for NIST Cyber Security Standards

Much like the Universe, cyberspace is ever-expanding and becoming larger and larger. As we use the Internet and other technologies for more and more tasks, we come across new issues and vulnerabilities every day that must be addressed in order to stay safe and secure.

To tackle this, the National Institute of Standards and Technology (NIST) is set to publish new voluntary cyber security standards by Spring 2014. These updates have the potential to affect the entire federal government, chiefly in cloud computing.

Here’s the Scoop

According to an article on FCW.com by Adam Mazmanian, these standards would be for operators of private infrastructure systems such as dams, water supplies, electrical grids, and other systems considered vital for cyber security purposes. The same article states that the standards could affect services used by the federal government, such as the cloud, NIST director Patrick Gallagher said.

These new standards would be part of Special Publication 800-82, Revision 2, and would include all updates developed by NIST and its partners.

But that is putting it simply. On May 15 this year, NIST announced the release of Special Publication 800-82, Revision 1, Guide to Industrial Control Systems (ICS) Security. This publication offers direction for improving security for Industrial Control Systems (ICS), according to the NIST website. This is the first update NIST has published on the topic in nearly a decade.

In addition, NIST recently released several other publications related to cyber security and the federal government. Essentially, these previous publications were developed by NIST, the Department of Defense, the Intelligence Community, and the Committee on National Security Systems due to the increase in frequency and sophistication of cyber-attacks.

Revision 2

Attacks range from cyber espionage to full-blown corruption of businesses and government, and hackers are working every day to bypass and break through firewalls. According to Gallagher, on February 13 of this year, President Barack Obama signed an Executive Order which gave NIST the task of working with the industry to reduce cyber risks to critical infrastructure.

NIST’s goal is to update cyber security standards to prevent an attack. Special Publication 800-82, Revision 2 will contain the major updates such as improvements to Industrial Control Systems threats/vulnerabilities, risk management, and general guidance that will benefit all sectors of critical infrastructure, according the NIST website.

NIST is planning on releasing two drafts for public comment, the first in June 2013 and the second sometime in Winter 2013. According to their website, NIST is hoping to publish Revision 2 in Spring of the following year. NIST will also be holding the third of four “Cyber Security Framework Workshops” in July 2013 to gain feedback during the development of these new standards.

For the Future

On May 21, the House Energy and Commerce committee met to discuss the application of the new cyber security standards, and possible next steps.

The new standards will be voluntary, and NIST is still seeking assistance from the Department of Treasury, the Department of Homeland Security, and NIST’s parent agency the Department of Commerce to develop possible incentives for private companies willing to adopt the new standards.

Currently, the plan is for these new standards to remain voluntary. However, there is talk of possible incentives. According to the FCW article, creating private insurance markets would lessen the risk of loss from a cyber-attack; companies that show more transparency by sharing threat information with the government could receive limitations on liabilities.

Should these incentives not be sufficient enough to persuade companies to adopt these standards, Gallagher says it would be up to the federal government to make the new standards more regulatory.

At the hearing, Rep. Doris Matsui reportedly told FCW that a strong relationship between the private and public sectors is required for creating security standards for cloud information storage.

Cloud computing and storage, Smartphone and mobile technology, and devices using wireless Internet connections are all relatively new technologies growing in popularity at a rapid pace. However, they are highly vulnerable to hackers and other cyber-attacks.

Politics aside, the government has a responsibility to protect the country from attacks of all kinds. As cloud computing and data storage become more and more prevalent in our world, protecting our wealth of data and information becomes critical and absolutely necessary.