The National Institute of Standards and Technology (NIST) is a United States federal agency concerned with American competitiveness and industrial innovation. It regularly releases new cybersecurity guidance. Here are some things to know about recent NIST updates.
Addressing attack resilience from an engineer's perspective
In early 2022, NIST updated its document titled "Engineering Trustworthy Secure Systems." It was partially due to an Executive Order made by President Joe Biden about improving the federal government's defenses against cyberattacks. One of the primary updates to the 200-page document related to an emphasis on security assurances. It advised engineers to look for evidence showing that a system was sufficiently protected against data loss and intrusions.
Ron Ross is a NIST Fellow and one of the authors of the updated document. He explained, "Evidence generated during the system life cycle is essential to building assurance cases for systems being deployed in the critical infrastructure. Assurance cases can turn security into something that is concrete, measurable and shareable. Building and delivering assurance is the way to drive the culture of security."
Although a company's assessment can take various forms, it typically involves looking for the physical and digital risks that could pose threats and interfere with operations. That kind of all-encompassing examination is advocated for in the updated guidelines, too. They recommend that engineers take a holistic approach to cybersecurity by becoming aware of all assets and how adversaries might attack them.
Updating the Secure Software Development Framework
In February 2022, NIST added new information to flesh out its "Secure Software Development Framework (SSDF) Recommendations for Mitigating the Risk of Software Vulnerabilities." This latest version replaces a whitepaper released in April 2020 that defined the SSDF. It came about after workshops and public input. The updates also include a changelog to help people quickly find out what's new.
The SSDF addresses the reality that software development life cycles rarely cover security considerations in depth. It fills that gap by providing some core software development practices to promote better security.
NIST representatives believe if development teams apply the Secure Software Development Framework recommendations to their projects, they will reduce the total number of software vulnerabilities. They will also minimize their impact and address the root causes of problems, reducing the chances that similar issues occur again.
Revising a supply chain security document
NIST also made revisions in May 2022 to a publication called "Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations." It was also partially in response to an Executive Order from President Biden. The document recommends how organizations should identify, assess, and respond to cybersecurity risks at all levels of the supply chain. The document's development process occurred over a few years and included two draft versions before these recently released revisions.
Jon Boyens, one of the document's authors, said, "Managing the cybersecurity of the supply chain is a need that is here to stay. If your agency or organization hasn't started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately."
Boyens also discussed how an attack on one supply chain entity could have ripple effects on others. He explained, "A manufacturer might experience a supply disruption for critical manufacturing components due to a ransomware attack at one of its suppliers, or a retail chain might experience a data breach because the company that maintains its air conditioning systems has access to the store' data-sharing portal."
Trevor Dearing, EMEA Director of Critical Infrastructure at Illumio, commented on NIST's supply chain guidance. "It is encouraging to see NIST releasing updated guidance acknowledging the increase in cyberattacks targeting the supply chain and the consequent necessity to bolster the supply chain's cybersecurity," he said.
Dearing continued, "We can no longer turn a blind eye to the exponential increase in attacks on the IT systems of manufacturers, logistics companies and organizations that ultimately target the operational part of the business. The truth is, threat actors have realized they can increase efficiency and profitability by compromising a single product, knowing it will have impact[s] downstream on companies who use it."
Companies can apply the NIST guidance
These are not the only NIST updates company leaders should be aware of, but they are among the most recent and relevant. The organization makes these documents and others freely available on its website, so they're accessible to any company that wants to apply the guidance to an existing cybersecurity strategy. Many of the documents consist of hundreds of pages, but the thoroughness arguably makes it easier for company leaders to act after learning the recommendations.
