For the first time in eight years, there has been a rewrite of the federal cyber security standards in an effort to address evolving smartphone vulnerabilities and foreign manipulation of the supply chain, among other new threats.
The 457-page government computer security bible, written by the National Institute of Standards and Technology (NIST) officially called “SP (Special Publication) 800-53,” has not undergone a major update since 2005. That was long before the rise of advanced persistent threats.
Agencies are not required to follow all the specifications, but rather choose among the protections that suit their operational environments, such as space in the case of NASA.
Congressional reports indicate foreign adversaries attempted to corrupt the supply chain at some point between agency system design and operation to disrupt or spy on the government. To protect critical computer parts, the compendium recommends sometimes withholding the ultimate purpose of a technology from contractors by “using blind or filtered buys.”
Agencies also should offer incentives to vendors that provide transparency into their processes and security practices, or vet the processes of subcontractors.
NIST broaches the controversial approach to “restrict purchases from specific suppliers or countries,” which U.S. technology firms, even those who have been hacked, say might slow installations.
The new guidelines also cover the challenges of web-based or cloud software, insider threats and privacy controls.
There are considerations specific to employees using personal devices for work, commonly referred to as BYOD, or bring your own device.” Recommended restrictions include using cloud techniques to limit processing and storage activities on actual government systems. NIST also advises agencies consult the Office of the General Counsel regarding legal uncertainties, such as “requirements for conducting forensic analyses during investigations after an incident.”
Government experts from the intelligence, defense and national security communities began promulgating this incarnation of NIST standards in 2009.