The following guest post was written by Matt Kelly, Editor + CEO of Radical Compliance.
Time to Get Your NIST On
Rarely do I read a piece of internal control guidance thick enough to use as a doorstop and think, “Thank the lord that’s clear”— but with the NIST guidance for cybersecurity controls, that was my reaction. Seriously.
Don’t get me wrong: implementing the controls for NIST 800-53 or NIST 800-171 will require some work, no doubt. Implementation may even be tedious (and possibly expensive) if your cybersecurity regime has languished in the past. But regardless of the work these roadmaps require, they're still useful for showing you where you need to go.
And what are these standards, exactly? Why are they so important, and why now?
NIST 800-53 is the list of internal controls that U.S. government agencies should implement to comply with FISMA, the law that requires all federal agencies to have effective cybersecurity. NIST 800-171 is a smaller set of internal controls that all businesses working as government contractors should use, if they handle “confidential, uncontrolled information”— that is, any government data that isn’t classified.
800-53 has been an ongoing challenge for federal agencies for years; the standard is currently in its fourth version, and a proposed fifth version is out for public comment now. 800-171 has much more urgency: defense contractors must implement the standard by the end of 2017 to comply with DFARS, the regulation that stipulates what internal controls businesses must have to be eligible to bid on Defense Department contracts.
Moreover, even if your organization is implementing NIST simply to work with the government— so what? The NIST standards are powerful tools to manage cybersecurity risk, and that risk is only going upward in the future. So even if you are implementing NIST because it’s an eligibility requirement, the practical upshot is that you’re also bolstering your organization against one of the most potent, pervasive threats facing business today. That’s a good thing, no matter what.
What does strike me as challenging is the prep work necessary before implementing these NIST standards. No organization likely needs to implement all controls, for either 800-53 or 800-171. You only need to implement the controls that are necessary for your risk profile, which depends on the operations you have and the laws and regulations that apply to you.
The most daunting part, really, is outlined on page 31 of the 462-page standard for NIST 800-53. That page diagrams the ideal cycle of cybersecurity risk management, and it starts with “Step 1: categorize information systems.” To the side is a list of “organizational inputs” including laws, strategic goals, information security requirements, and resource availability.
Understanding those inputs: that’s the true challenge for most organizations. It’s one part operational risk assessment, one part compliance risk assessment, and a heap of debate among the board and senior executives about objectives and resources.
From there, selecting the proper security controls can be a straightforward exercise—possibly an effort-intensive exercise, certainly, with plenty of testing and documentation along the way. But the NIST standards have a logical structure. They have clear descriptions. A team of security, compliance, and internal audit professionals can take them to the business units, and put them into place.
And with all the business imperatives swirling around cybersecurity today, let’s not kid ourselves: do you have any other sensible choice?
For more information about NIST 800-53 and 800-171, plus the Cybersecurity Framework (CSF), please download our companion whitepaper on the subject.