Whenever I have talked about doing a Risk Assessment Survey
(like in yesterday’s blog), I always put in the disclaimer that one should follow
a prescribed set of procedures for doing this, like a particular
framework. In this regard, I have always
strongly advocated the use of the ones that have been set forth by the National
Institute of Standards and Technology, also known more popularly simply as “NIST”.
One of the areas in which I have extensively written about
is that of the CMMC, which is actually a derivative of the NIST Special
Publication (SP) 800-172.
In fact, NIST goes back a way long time. My first interaction with them came when I
attended a Biometrics Conference in 2002, in Alexandria, Virgina. It was quite a well-organized event, with the
major vendors coming out and showcasing their products and solutions.
But since then, NIST has taken a very active role now in
Cybersecurity, coming up with different standards, metrics, KPIs, best practices,
and of course, the various frameworks that it has established.
Their first SP to be released on Cybersecurity came back out
in 2014. The ultimate goal of the NIST
is to help businesses of all kinds and types, and even government agencies, to help
them fortify their lines of defenses even more.
Not only do the SPs provide timely guidance, but NIST also
has a ton of templates that any business owner can use. They make look confusing at first, but once
you start plowing through them, they aren’t too bad to figure out.
But the unfortunate part of all of this is that Corporate America
still has not yet adopted the services provided by NIST in a timely manner. Some reasons that are cited for this include
no penalties for lack of usage, and many business owners do not feel that the
certifications they offer are as relevant as some of the others that are out
there.
But the other problem here is that NIST has not really put
forth the time to make their certifications as glamorous as those from CompTIA
or even the ISC(2). They do have some
certs, and to see them, follow the link below:
https://www.strikegraph.com/blog/what-is-nist-certification
But although these certs may not hold the appeal like the others,
if your business’s main bread and butter is that of providing services to the government
(whether it is IT Security or Cybersecurity related), the more you have from the
NIST, the far better your image will be when it comes time to bidding, and even
perhaps wining on contracts from the Department of Defense (DoD).
Going back to the CMMC, the DoD now even requires defense
contractors and their subcontractors to have some sort of certification level
as it has been laid out by NIST.
The moral of the story here is that while the private sector
may not hold the NIST in high regard yet, the Federal Government certainly does
so. And, if you can acknowledge that
fact, and get some of their certs, you will be golden in the eyes of the government
officials that award out the contracts.
In fact, many in the private sector are calling out for the
NIST to have certification levels that come onto par with those that are
provided by the ISO, such as the ISO 9001 (Quality Management System), and the ISO
27001 (Information Security Management System).
People would like NIST to not only offer ones like the above
two, but to also offer certifications whenever a businesses has adopted and made
use of a particular type of framework.
The only downside to this is that if a business aspires to get one of
these certifications, they will then have to go through a huge audit process to
make sure that all of the necessary controls have been put into place, in a way
like getting an ISO certification.
My Thoughts On This:
As I was writing this blog, I was quite surprised that the NIST
is not actually its own government agency, or even part of one. But rather, it is a private entity all on its
own, but is supported and as mentioned, highly regarded by the Federal Government.
But keep in mind also that the NIST just does not come out with
frameworks, it also works closely with other agencies (like CISA) and other
companies in the private sector to keep an exhaustive library of all of the
known threat vectors, and their signature profiles.
IMHO, the best way to get started with NIST is to get to
know them better. Here is the link to
their website:
From there, you can access all of their resources, which I
think for the most part are free. To get
more detail on the NIST Cybersecurity Framework, click on the link below:
https://www.darkreading.com/physical-security/a-guide-to-the-nist-cybersecurity-framework
No comments:
Post a Comment