Saturday, October 7, 2023

Need A Cybersecurity Ally? NIST Is Right There

 


Whenever I have talked about doing a Risk Assessment Survey (like in yesterday’s blog), I always put in the disclaimer that one should follow a prescribed set of procedures for doing this, like a particular framework.  In this regard, I have always strongly advocated the use of the ones that have been set forth by the National Institute of Standards and Technology, also known more popularly simply as “NIST”. 

One of the areas in which I have extensively written about is that of the CMMC, which is actually a derivative of the NIST Special Publication (SP) 800-172. 

In fact, NIST goes back a way long time.  My first interaction with them came when I attended a Biometrics Conference in 2002, in Alexandria, Virgina.  It was quite a well-organized event, with the major vendors coming out and showcasing their products and solutions. 

But since then, NIST has taken a very active role now in Cybersecurity, coming up with different standards, metrics, KPIs, best practices, and of course, the various frameworks that it has established.

Their first SP to be released on Cybersecurity came back out in 2014.  The ultimate goal of the NIST is to help businesses of all kinds and types, and even government agencies, to help them fortify their lines of defenses even more. 

Not only do the SPs provide timely guidance, but NIST also has a ton of templates that any business owner can use.  They make look confusing at first, but once you start plowing through them, they aren’t too bad to figure out.

But the unfortunate part of all of this is that Corporate America still has not yet adopted the services provided by NIST in a timely manner.  Some reasons that are cited for this include no penalties for lack of usage, and many business owners do not feel that the certifications they offer are as relevant as some of the others that are out there.

But the other problem here is that NIST has not really put forth the time to make their certifications as glamorous as those from CompTIA or even the ISC(2).  They do have some certs, and to see them, follow the link below:

 https://www.strikegraph.com/blog/what-is-nist-certification

But although these certs may not hold the appeal like the others, if your business’s main bread and butter is that of providing services to the government (whether it is IT Security or Cybersecurity related), the more you have from the NIST, the far better your image will be when it comes time to bidding, and even perhaps wining on contracts from the Department of Defense (DoD). 

Going back to the CMMC, the DoD now even requires defense contractors and their subcontractors to have some sort of certification level as it has been laid out by NIST.

The moral of the story here is that while the private sector may not hold the NIST in high regard yet, the Federal Government certainly does so.  And, if you can acknowledge that fact, and get some of their certs, you will be golden in the eyes of the government officials that award out the contracts. 

In fact, many in the private sector are calling out for the NIST to have certification levels that come onto par with those that are provided by the ISO, such as the ISO 9001 (Quality Management System), and the ISO 27001 (Information Security Management System).

People would like NIST to not only offer ones like the above two, but to also offer certifications whenever a businesses has adopted and made use of a particular type of framework.  The only downside to this is that if a business aspires to get one of these certifications, they will then have to go through a huge audit process to make sure that all of the necessary controls have been put into place, in a way like getting an ISO certification.

My Thoughts On This:

As I was writing this blog, I was quite surprised that the NIST is not actually its own government agency, or even part of one.  But rather, it is a private entity all on its own, but is supported and as mentioned, highly regarded by the Federal Government. 

But keep in mind also that the NIST just does not come out with frameworks, it also works closely with other agencies (like CISA) and other companies in the private sector to keep an exhaustive library of all of the known threat vectors, and their signature profiles.

IMHO, the best way to get started with NIST is to get to know them better.  Here is the link to their website:

https://www.nist.gov/

From there, you can access all of their resources, which I think for the most part are free.  To get more detail on the NIST Cybersecurity Framework, click on the link below:

https://www.darkreading.com/physical-security/a-guide-to-the-nist-cybersecurity-framework

 

 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...