Federal Cyber-Security

NIST (National Institute of Standards and Technology) has provided Federal Agencies with all the tools they need to get cyber-security done right. But obviously, it’s not being done right yet at most agencies. Why not?

  • Failure to understand the threat level – this was certainly once the top problem… maybe not so much anymore with all the news about cyber incidents and all the federal reporting requirements, but a lot of folks still don’t understand how valuable their data is to the criminals or how valuable a launching point is from inside a federal agency
  • Failure to understand the threat nature – most cyber defenders still seem to think that the big firewalls are the frontline in defense. In fact, the frontline has shifted to web applications and exploits that bypass those defenses. Most casually defended agencies need to consider that their network has already been compromised years ago and they should be looking to clean out infestations INSIDE the perimeter that the penetrators are trying to keep concealed.
  • Failure to understand the tools NIST has supplied – EVERYTHING you need to do good cyber security is found in the NIST SP 800 series documents. All you have to do is read and reach understanding. Unfortunately, most federal agencies seem to focus on compliance with Authorization (C&A) exercises which are often more paper exercises than real tests of risk management.

NIST explains how to:

  • Understand risk and assess it
    • NIST SP 800-30 “Risk Management Guide for Information Technology Systems”
    • NIST SP 800-39 “Managing Risk from Information Systems”
  • Plan security controls to mitigate risk
    • NIST SP 800-53 “Recommended Security Controls for Federal Information Systems and Organizations”
  • Get your system Authorized (C&A) without breaking the bank or wasting time on a paper chase
    • NIST SP 800-37 “Guide for Security Authorization of Federal Information Systems”
    • NIST SP 800-53A “Guide for Assessing the Security Controls in Federal Information Systems”
  • Monitor the system and keep things safe
    • NIST SP 800-115 “Technical Guide to Information Security Testing and Assessment”
    • NIST SP 800-40 “Creating a Patch and Vulnerability Management Program”
    • NIST SP 800-61 “Computer Security Incident Handling Guide”
    • NIST SP 800-92 “Guide to Computer Security Log Management”
    • NIST SP 800-94 “Guide to Intrusion Detection and Prevention Systems”
  • There is much, much more. Everything is here. All that is needed is to put the pieces together and make them work for your organization and NIST even explains that.

    SEE ALSO: NIST SP 800 series documents

    Leave a Reply

    You must be logged in to post a comment.