Having guidelines and frameworks is important when you’re trying to do something important, correctly the first time. Think building plans for a high-rise and the risks of not getting it right. For organizations and nations, that are always under attack, security is highly important and the results of not getting it correct could mean the loss of billions of dollars, or even worse, the end of a nation. Governments at all levels have been giving input to help minimize the risk of using technology and to ensure proper controls and effective responses if an incident did happen.
With that in mind, let’s take a quick look at how we got to the latest guidance from the U.S. federal government. The NBS (National Bureau of Standards) was formed in March 3, 1901. The NBS was in charge of making sure things like a pound weighed the same regardless of when or where it was being measured. Fast forward to when those basic issues were solved and now technology was being used to automate and make governments and organizations much more productive. NBS became NIST (National Institute of Standards and Technology) in 1988.
Fast forward to June 15, 2001 and NIST published Special Publication (SP) 800-27, “Engineering Principles for Information Technology Security”. With home internet becoming widespread and more organizations outsourcing engineering work overseas, IT had to step up their game. The guidance from NIST provided documented concepts and tenants that could be used by all IT organizations. This SP was eventually superseded by SP 800-160 Vol. 1, “Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems”.
In 2012, NCCoE (National Cybersecurity Center of Excellence) was formed with the sole purpose to build and publicly share solutions to cybersecurity problems faced by U.S. businesses.
On August 11, 2020, NIST also got on the marketing bandwagon and published Special Publication (SP) 800-207, “Zero Trust Architecture”, to help organizations understand how to get from legacy security and access deployments and start implementing and using solutions based on zero trust concepts and tenants.
In May 2021, an Executive Order from the President of the United States was signed with the following goals:
- Remove Barriers to Threat Information Sharing Between Government and the Private Sector
- Modernize and Implement Stronger Cybersecurity Standards in the Federal Government
- Improve Software Supply Chain Security
- Establish a Cybersecurity Safety Review Board
- Create a Standard Playbook for Responding to Cyber Incidents
- Improve Detection of Cybersecurity Incidents on Federal Government Networks
- Improve Investigative and Remediation Capabilities.
President Biden signed a new National Security Memorandum on July 28, 2021, “Improving Cybersecurity for Critical Infrastructure Control Systems” which directed the Department of Homeland Security (DHS) to work with the Department of Commerce (DOC) in developing cybersecurity performance goals that would drive adoption of effective practices and controls.
Many more publications and memorandums exist, but the above is a bit of history and examples of how seriously the U.S. government is taking government and private sector cybersecurity.
IS NIST GUIDANCE ONLY FOR GOVERNMENT OR FEDERAL ORGANIZATIONS?
No. As we’ve seen numerous times, the public and private sectors are intertwined. The private sector is creating technology that is regularly used by the public sector. Attackers look for opportunities with the lowest “costs of attack” and often that is going after smaller organizations that sell into federal.
HOW ARE ORGANIZATIONS RESPONDING?
NIST provides very specific guidance and checklists, all freely available online, for data storage and communication. For example, in SP 800-207 Section 1, the tenants of zero trust are defined as the following:
- All data sources and computing services are considered resources
- All communication is secured regardless of network location
- Access to individual enterprise resources is granted on a per-session basis
- Access to resources is determined by dynamic policy – including the observable state of client identity, application/service, and the requesting asset – and may include other behavioral and environmental attributes
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed
- The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.
Organizations should go line by line and make sure they understand how they have implemented their cybersecurity based on all the tenants outlined by NIST. IT teams need to continuously look for ways to improve their security. As an example, many organizations may find that their legacy VPNs cannot comply with point #4 above since they are likely giving full layer 3 tunnels to everyone regardless of user and device identity. These orgs will have to plan how to migrate from a legacy VPN to a purpose-built Zero Trust Network Access (ZTNA) solution that was designed and created with NIST guidance in mind.
To learn more about how Banyan Security can help you implement the tenants and concepts that will ensure your organization is following many of these NIST SPs visit Banyan Security.