NIST Framework Could Go From Voluntary to Required in Cyber EO

(Image: Shutterstock)

The latest iteration of President Donald Trump’s executive order on cybersecurity will probably require Federal agencies to use the National Institute of Standards and Technology’s framework, according to Ron Ross, a fellow at NIST.

Published in 2014, NIST’s Framework for Improving Critical Infrastructure Cybersecurity was meant to serve as a voluntary set of guidelines to help agencies manage cybersecurity. However, the framework may no longer be “voluntary” in the new executive order.

“We expect there to be a requirement for Federal government to use framework,” Ross said. “We’re up against sophisticated adversaries. They’re bad dudes trying to do great harm to us. Most of the nasty ones are ones you’ll never find.”

“In the end, we’re trying to bring everybody closer together,” said Ron Ross, shown in September 2016. (Photo: MeriTalk)

Ross, who spoke at MeriTalk’s webinar titled Conquer (Un)Predictable Intelligence on May 2, said NIST’s security guidelines need to be as accessible to Federal agencies as they are to private sector companies. NIST has issued several Special Publications on security matters, including SP 800-160, which was released in November and focuses on engineering considerations when developing a secure system.

Subsequent Special Publications will include guidelines from the cybersecurity framework, Ross said.

“800-160 is really an important document to help everybody—customers and industry—build more trustworthy systems. All of our risk-based publications in 2017 and early into 2018 are going to be revised to incorporate material from the cybersecurity framework,” Ross said. “We’re going to infuse content from cyber framework into those activities. In the end, we’re trying to bring everybody closer together.”

In addition to providing agencies with ways to improve their internal cybersecurity postures, Special Publications such as 800-160 also facilitate collaboration between agencies and companies, Ross said.

Federal and private sector cooperation was a major theme experts discussed at the webinar, which MeriTalk ran in tandem with Pure Storage. Pure Storage offers security measures for storing data. Nick Psaki, principal systems engineer of Pure Storage, said two of their recent products include FlashArray, which can be used to protect structured databases, and FlashBlade, which is used for unstructured data.

David Rubal, chief technologist of data and analytics and principal data scientist at DLT Solutions, said that Federal agencies specializing in financial matters have done an exemplary job of working with financial companies. He said these partnerships are valuable because agencies and companies often face the same problems.

“The analytics journey for everyone really comes down to key and close partnership between government and commercial enterprises,” Rubal said. “When you look at the problem set, it’s a common problem set. It’s not just a Federal issue. It’s a problem set that expands markets, industries, and verticals.”

Ross stressed the importance of Federal agencies partnering with companies on projects that are less obvious than patching systems and doing inventory of components. He said agencies need to address the “world below the waterline that you’ll never see.”

“We’ve been doing a lot of great things. You have to be able to work in both lanes,” Ross said. “Everything we do above waterline is important, but if we don’t succeed below the waterline, we’ll never be able to solve all of these problems. If we don’t have industry support and we are not good consumers in requiring things below the waterline, then all that work on the top won’t be that useful.”

Recent