Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

NIST Recommendation analysis

Cyber Secure Institute : 06 August, 2009  (Technical Article)
The Cyber Secure Institute comments on the recent NIST recommendations for federal information system security controls
Rob Housman, Executive Director of the Cyber Secure Institute has released the Institute's Preliminary Analysis of the National Institute of Standards and Technology (NIST) Recommended Security Controls for Federal Information Systems and Organizations, which NIST released on August 1, 2009.

The NIST Recommendations are a critical component of the Federal cybersecurity effort. The Recommendations will shape the security approach of all unclassified Federal IT systems.

In addition, how the Recommendations are implemented will have spill over effects on IT security efforts beyond the Federal government, to include both the sub-Federal level public sector and the private sector. And, in turn, they will impact a major portion of the Federal IT market, and the larger IT market as a whole.

"Overall, the Institute sees the NIST Recommendations as an important step forward in bringing a more unified, coherent and integrated approach to IT security," Housman said. "They make important security strides in a number of key areas.

"However, they also raise a number of serious questions. For example:

* "The Baseline Controls provide protections against 'highly skilled, highly motivated, and well resourced' threats only for systems designated High Impact. However, the definitional aspects of High Impact systems do not apply to vast numbers of Federal IT systems that could have major impacts on the nation and individual Americans if breached. For example, the e-Health systems now being pushed by the Obama Administration would seem to fall in the Moderate category. However, the threat to so called Low and Moderate Impact systems come from sophisticated actors, like the Chinese military and organized crime. Nevertheless, the NIST recommendations only require these systems to be secure against unsophisticated threats—the proverbial teenage vanity hacker hacking away in the basement.

* "The Recommendations do not provide a mechanism for certifying or validating that specific IT systems meet the NIST requirements that they are being deployed to fulfill.

* "The Recommendations on their face seem to adopt the current hack and patch approach to cybersecurity. They do not explicitly require that IT systems be actually secure against the real world threats we face.

* "The Recommendations do not seize the opportunity to put in place a mechanism, such as a 'Best Available Cybersecurity Technology' requirement, that would have driven technological innovation and real cybersecurity," Housman added.

"All in all, the NIST Recommendations are a major step forward but they fail to fully seize the opportunity to advance President Obama's Cybersecurity agenda," Housman said in closing.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo