Cybertelecom Federal Internet Law & Policy An Educational Project

Security :: NIST

Cybersecurity Framework

"Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President under the Executive Order “Improving Critical Infrastructure Cybersecurity” has directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. The Framework will consist of standards, guidelines, and best practices to promote the protection of information and information systems supporting critical infrastructure operations. The prioritized, flexible, repeatable, and cost-effective approach of the framework will help owners and operators of critical infrastructure to manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties."

NIST Developing a Framework To Improve Critical Infrastructure Cybersecurity

The National Institute of Standards and Technology (NIST) is conducting a comprehensive review to develop a framework to reduce cyber risks to critical infrastructure (the “Cybersecurity Framework” or “Framework”). The Framework will consist of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.

For the purposes of this RFI the term “critical infrastructure” has the meaning given the term in 42 U.S.C. 5195c(e), “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

This RFI requests information to help identify, refine, and guide the many interrelated considerations, challenges, and efforts needed to develop the Framework. In developing the Cybersecurity Framework, NIST will consult with the Secretary of Homeland Security, the National Security Agency, Sector-Specific Agencies and other interested agencies including the Office of Management and Budget, owners and operators of critical infrastructure, and other stakeholders including other relevant agencies, independent regulatory agencies, State, local, territorial and tribal governments. The Framework will be developed through an open public review and comment process that will include workshops and other opportunities to provide input.

NIST Notice of Inquiry : Models for a Governance Structure for the National Strategy for Trusted Identities in Cyberspace NSTIC

SUMMARY: The Department of Commerce (Department) is conducting a comprehensive review of governance models for a governance body to administer the processes for policy and standards adoption for the Identity Ecosystem Framework in accordance with the National Strategy for Trusted Identities in Cyberspace (NSTIC or "Strategy"). The Strategy refers to this governance body as the "steering group." The Department seeks public comment from all stakeholders, including the commercial, academic and civil society sectors, and consumer and privacy advocates on potential models, in the form of recommendations and key assumptions in the formation and structure of the steering group. The Department seeks to learn and understand approaches for: 1) the structure and functions of a persistent and sustainable private sector-led steering group and 2) the initial establishment of the steering group. This Notice specifically seeks comment on the structures and processes for Identity Ecosystem governance. This Notice does not solicit comments or advice on the policies that will be chosen by the steering group or specific issues such as accreditation or trustmark schemes, which will be considered by the steering group at a later date. Responses to this Notice will serve only as input for a Departmental report of government recommendations for establishing the NSTIC steering group.
. . . . .

Federal Information Security Management Act (FISMA)

Derived From: NIST Federal Information Security Management Act Implementation Project: Background

"The E-Government Act (Public Law 107-347) passed by the 107th Congress and signed into law by the President in December 2002 recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA) requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

"An effective information security program should include:

• Periodic assessments of risk, including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization
• Policies and procedures that are based on risk assessments, cost-effectively reduce information security risks to an acceptable level, and ensure that information security is addressed throughout the life cycle of each organizational information system
• Subordinate plans for providing adequate information security for networks, facilities, information systems, or groups of information systems, as appropriate
• Security awareness training to inform personnel (including contractors [See Cloud] and other users of information systems that support the operations and assets of the organization) of the information security risks associated with their activities and their responsibilities in complying with organizational policies and procedures designed to reduce these risks
• Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls to be performed with a frequency depending on risk, but no less than annually
• A process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the organization
• Procedures for detecting, reporting, and responding to security incidents
• Plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the organization.

"FISMA, along with the Paperwork Reduction Act of 1995 and the Information Technology Management Reform Act of 1996 (Clinger-Cohen Act), explicitly emphasizes a risk-based policy for cost-effective security. In support of and reinforcing this legislation, the Office of Management and Budget (OMB) through Circular A-130, Appendix III , Security of Federal Automated Information Resources, requires executive agencies within the federal government to:

• Plan for security
• Ensure that appropriate officials are assigned security responsibility
• Periodically review the security controls in their information systems
• Authorize system processing prior to operations and, periodically, thereafter

"These management responsibilities presume that responsible agency officials understand the risks and other factors that could adversely affect their missions. Moreover, these officials must understand the current status of their security programs and the security controls planned or in place to protect their information and information systems in order to make informed judgments and investments that appropriately mitigate risk to an acceptable level. The ultimate objective is to conduct the day-to-day operations of the agency and to accomplish the agency's stated missions with adequate security , or security commensurate with risk, including the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information. As a key element of the FISMA Implementation Project, NIST also developed an integrated Risk Management Framework which effectively brings together all of the FISMA-related security standards and guidance to promote the development of comprehensive and balanced information security programs by agencies.

National Initiative for Cybersecurity Education

"The National Initiative for Cybersecurity Education (NICE) has evolved from the Comprehensive National Cybersecurity Initiative, and extends its scope beyond the federal workplace to include civilians and students in kindergarten through post-graduate school. The goal of NICE is to establish an operational, sustainable and continually improving cybersecurity education program for the nation to use sound cyber practices that will enhance the nation's security.

The National Institute of Standards and Technology (NIST) is leading the NICE initiative to ensure coordination, cooperation, focus, public engagement, technology transfer and sustainability. Many NICE activities are already underway and NIST will highlight these activities, engage various stakeholder groups and create forums for sharing information and leveraging best practices. NIST will also be looking for "gaps" in the initiative -- areas of the overarching mission that are not addressed by ongoing activities."

Requests for Comments

• NIST Releases Draft NIST Interagency Report (NISTIR) 8170, The Cybersecurity Framework: Implementation Guidance for Federal Agencies, for public comment. May 17, 2017
• Apr. 21, 2016 SP 800-150 DRAFT Guide to Cyber Threat Information Sharing (Second Draft)
• December 11, 2015, third request for information (RFI), Views on the Framework for Improving Critical Infrastructure Cybersecurity | RFI responses. The RFI analysis .
• United States Department of Commerce, National Institute of Standards and Technology, NIST Special Publication 800-144, Draft - Guidelines on Security and Privacy in Public Cloud Computing, January 2011
• NIST NICE Cybersecurity Workforce Framework Comments Due 12/16/2011
• United States Department of Commerce, National Institute of Standards and Technology, NIST Special Publication 800-39, Final public Draft - Integrated Enterprise-Wide Risk Management - Organization, Mission, and Information System View , March 2011,
• United States Department of Commerce, National Institute of Standards and Technology, NIST Special Publication 800-37, Revision 1 - Guide for Applying the Risk Management Framework to Federal Information Systems - A Security Life Cycle Approach , February 2010
• United States Department of Commerce, National Institute of Standards and Technology, NIST Special Publication 800-53, Revision 3 - Recommended Security Controls for Federal Information Systems and Organizations , May 2010
• United States Department of Commerce, National Institute of Standards and Technology, NIST Special Publication 800-53A, Revision 1 - Guide for Assessing the Security Controls in Federal Information Systems and Organizations , June 2010
• Revision of SP 800-53 Addresses Current Cybersecurity Threats, Adds Privacy Controls From NIST Tech Beat: February 28, 201: "A major revision of a Federal Information Security Management Act (FISMA) publication released today by the National Institute of Standards and Technology (NIST) adds guidance for combating new information security threats and incorporates new privacy controls to the framework that federal agencies use to protect their information and information systems." The public draft of Security and Privacy Controls for Federal Information Systems and Organizations, Special Publication (SP) 800-53, Revision 4 may be found at http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-53-Rev.%204. Comments on SP 800-53, Revision 4 are requested by April 6, 2012. Email should be sent to sec-cert@nist.gov.
• United States Department of Commerce, National Institute of Standards and Technology, Standards for Security Categorization of Federal Information and Information Systems, FIPS Pub 199 , February 2004,
• United States Department of Commerce, National Institute of Standards and Technology, Minimum Security Requirements for Federal Information and Information Systems, FIPS Pub 200 , March 2006
• Draft Special Publication 800-82, Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security 2006
• Draft Special Publication 800-54, Border Gateway Protocol Security Sept 2006
• Draft NIST Special Publication 800-40 Version 2, Creating a Patch and Vulnerability Management Program, NIST 8/12/2005
• Draft NIST Special Publication 800-84, Guide to Single-Organization IT Exercises, NIST 8/12/2005
• Draft NIST Special Publication 800-83, Guide to Malware Incident Prevention and Handling, NIST 8/12/2005
• National Vulnerability Database, NIST 8/5/2005
• Computer Security Incident Handling Guide, NIST 1/23/2004

National Cybersecurity Center of Excellence

"a collaborative environment where engineers, from across public and private organizations, can come together to demonstrate secure platforms, built on commercially available technology, for the purpose of increasing the rate of adoption of secure technologies. Although the focus of the NCCoE is currently broader than critical infrastructure, it provides a useful model for other research cooperatives. Particularly, the NCCoE provides a good example of balancing both industry and government desires by establishing use cases based on the security needs of businesses, and demonstrating that the solution also satisfies government cybersecurity guidance. By participating in this collaborative process, backed by the NCCoE, critical infrastructure institutions can establish a basis for trust-based cybersecurity responsibility, a potential market differentiator. NCCoE staff are already committed to working in the Framework process, in helping to identify areas where collaboration can begin." 

Laws

• Federal Information Security Management Act (FISMA)
• The National Technology Transfer and Advancement Act of 1995

News

• Committee Approves H.R. 1224, the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017