Rob Housman, Executive Director of the Cyber Secure Institute released the Institute’s Preliminary Analysis of the National Institute of Standards and Technology (NIST) Recommended Security Controls for Federal Information Systems and Organizations, which NIST released on August 1, 2009.
The NIST Recommendations are a critical component of the Federal cybersecurity effort. The Recommendations will shape the security approach of all unclassified Federal IT systems.
In addition, how the Recommendations are implemented will have spill over effects on IT security efforts beyond the Federal government, to include both the sub-Federal level public sector and the private sector. And, in turn, they will impact a major portion of the Federal IT market, and the larger IT market as a whole.
“Overall, the Institute sees the NIST Recommendations as an important step forward in bringing a more unified, coherent and integrated approach to IT security,” Housman said. “They make important security strides in a number of key areas.
“However, they also raise a number of serious questions. For example:
- “The Baseline Controls provide protections against ‘highly skilled, highly motivated, and well resourced’ threats only for systems designated High Impact. However, the definitional aspects of High Impact systems do not apply to vast numbers of Federal IT systems that could have major impacts on the nation and individual Americans if breached. For example, the e-Health systems now being pushed by the Obama Administration would seem to fall in the Moderate category. However, the threat to so called Low and Moderate Impact systems come from sophisticated actors, like the Chinese military and organized crime. Nevertheless, the NIST recommendations only require these systems to be secure against unsophisticated threats—the proverbial teenage vanity hacker hacking away in the basement.
- “The Recommendations do not provide a mechanism for certifying or validating that specific IT systems meet the NIST requirements that they are being deployed to fulfill.
- “The Recommendations on their face seem to adopt the current hack and patch approach to cybersecurity. They do not explicitly require that IT systems be actually secure against the real world threats we face.
- “The Recommendations do not seize the opportunity to put in place a mechanism, such as a “Best Available Cybersecurity Technology’ requirement, that would have driven technological innovation and real cybersecurity,” Housman added.
“All in all, the NIST Recommendations are a major step forward but they fail to fully seize the opportunity to advance President Obama’s Cybersecurity agenda,” Housman said in closing.