- Why should you try and be compliant?
- Who needs to be NIST compliant?
- How do you comply with regulations and standards?
The National Institute of Standards and Technology, also known as the NIST, is a United States government laboratory that works to develop, test, and recommend best practices for federal agencies, and other organizations relating to things such as online security. Metrics, measurements, and regulations, like the Federal Information Protection Standard, are created by the NIST to help strengthen the reliability and security of technologies being developed. All federal organizations are required to follow standards outlined by the NIST in their specific field when they are dealing with confidential, federal data. The standards and regulations set out by the NIST are recognized internationally, meaning any organization that follows the NIST’s standards for their business sector is trusted to be using the correct practices in their technology. NIST standards and regulations have been created for many Science, Technology, Engineering, and Mathematics (STEM) fields, from astrophysics to cybersecurity.
Why should you try and be compliant?
One of the many questions asked by organizations is why should I comply with the NIST’s standards and regulations? The main reason is the amount of testing put into the publications they release. Weeks, months, and sometimes years of testing are implemented into the subject NIST publications are related to before they are released to the public. This ensures that methods and practices proposed in the standards are the most up-to-date and methods available at the time of writing. The research is done by a team of professionals in their field, so the publications released to the public are extremely accurate, both informationally and technically.
Another reason to comply with the NIST’s standards is the fact that it will make your organizations infrastructure and new technologies much more secure. The goal of releasing NIST publications is to provide a more secure environment for both the government and companies in general. The more organizations that follow these standards, the less security breaches and vulnerabilities are available for exploitation by threat actors. Some regulations, like the Federal Information Protection Standard (FIPS), are required for work with the federal government. This means, any company seeking federal work contracts, will need to be FIPS 140-2 compliant, along with potentially needing to comply with other regulations, depending on the organizations field.
Compliance can also provide your business with an edge over competitors. Those organizations that comply with federal security standards will appeal to customers over those businesses who don’t comply. Those same customers will trust your organization to produce an equally secure product or service in the future, winning your company future business with a recurring client. Some organizations will require compliance with specific regulations if a company wishes to be their vendor. One of these organizations is the United States federal government.
Who needs to be NIST compliant?
All contractors, vendors, subcontractors, and all federal agencies are required to be compliant with NIST standards and regulations if they wish to work with the United States federal government. This is due to the sensitive data that companies working with the government will be manipulating, storing, and processing. If the data is handled improperly, this could cause a security gap allowing threat actors access to information or services that are meant to be top secret. Certain organizations, as well as local governments, may require those companies wishing to work with them to comply with certain NIST standards and regulations as well.
How do you comply with regulations and standards?
One of the easiest ways to follow NIST regulations is to comply with the requirements set forth in the NIST publications. These requirements are specific to each publication, meaning following the requirements of one publication will not guarantee compliance with all NIST publications. To help your company with being compliant with current and future publications created by the National Institute of Science and Technology, you should utilize the Cybersecurity Framework, created by the NIST. The NIST Cybersecurity Framework does not guarantee compliance with all current publications, rather it is a set of uniform standards that can be applied to most companies.
The NIST Cybersecurity Framework was created to improve the cybersecurity of organizations to prevent data breaches and increase the strength of cybersecurity tactics used by organizations. By implementing a uniform set of standards, organizations following the Cybersecurity Framework will already understand the infrastructure and cybersecurity tactics used by other Cybersecurity Framework organizations. The Cybersecurity Framework is broken into 5 stages, called the Framework Core:
The Identify stage helps the rest of the Framework Core function properly. This stage provides transparency into the workings of the tools currently in use, while prioritizing actions for securing critical infrastructure. Companies implementing this stage will identify all of the software and systems that are critical to the organization’s infrastructure. This helps find unauthorized devices within the network, such as a worker’s phone that is accessing their email, which could be used as an attack vector for threat actors. Understanding the systems at play in your infrastructure helps identify where most of the secure data is kept, which can then be prioritized for protection. All data cannot be protected within an organization, thus secure data has a priority for protection. Asset management, risk assessment, and risk management strategy are all tasks that fall under the Identify stage.
The protect phase is focused on reducing the number of breaches and other cybersecurity events that occur in your infrastructure. It also handles mitigating the damage a breach will cause if it occurs. This could mean putting security systems in to prevent or detect data loss, such as intruder prevention systems, or other such cybersecurity tools. Identity access and management (IAM) control, training, and data security are just a few of the processes that fall under the protection umbrella.
This stage helps with the detection of an intruder once a breach occurs, as no security system is 100% secure. Once an attacker gets into your organization’s infrastructure, they must be detected and dealt with in a timely manner, so they do not have enough time to steal any data or compromise any client systems. The longer it takes to detect an intruder, the more data that could be compromised. Events, monitoring, and detection are all a part of the Detect stage.
The respond stage deals with the response an organization has to a breach. These guidelines help with developing and implementing a plan to respond to a security breach. If the breach is not secured and the attacker is given free reign of an organization, then the breach can become worse and worse. Response planning, communications, analysis, mitigation, and improvements are the steps implemented in the Respond phase.
The final stage, Recover, deals with the aftermath of a security breach. A plan for disaster recovery is created and implemented here. A back-up of all databases and infrastructure should be in place as part of the recovery plan. This stage includes recovery planning, communications, and improvements for the future.