“This update was motivated by the expanding threats we all face,” project leader and NIST fellow Ron Ross said in a statement. “These include the increasing sophistication of cyberattacks and the fact that we are being challenged more frequently and more persistently.”
The revision’s new assurance controls will help agencies have confidence in the security of their systems and give guidance to contractors that develop information systems, information technology component products and services for the government, according to Ross, who said the focus on trustworthiness in the federal information systems supported the NIST’s slogan of “Build it right, then continuously monitor.”
Contractors may welcome the update as an improvement over ad hoc rules pursued separately by separate agencies. In comments submitted to the NIST on April 8, the Professional Services Council urged the government to halt ongoing efforts to create cybersecurity contract requirements until the NIST framework was in place.
“We strongly believe that the NIST cybersecurity framework should be developed prior to the further development or implementation of new acquisition-specific cybersecurity requirements,” PSC President and CEO Stan Soloway said. “To ensure that consistency is achievable by agencies in both the cybersecurity framework and the federal acquisition arena, PSC recommends that the [Federal Acquisition Regulation] and [Defense Federal Acquisition Regulatory Supplement] initiatives be suspended until the initial NIST framework is completed.”
The new guidelines promote cutting-edge security controls aimed at addressing evolving threats — particularly issues related to mobile and cloud computing, insider threats, supply chain risks, advanced persistent threats, and other areas that have evolved greatly over the past eight years, the NIST said.
To address supply chain risks — an area that has been the focus of recent reports from the Senate Armed Services Committee and House Intelligence Committee — the guidelines recommend that the government sometimes use “blind or filtered buys” to withhold the ultimate purpose of electronic parts from the contractors who supply them.
The guidelines also encourage agencies to offer incentives to contractors that are open about their procedures for vetting the security of their electronic parts and subcontract suppliers, something the U.S. Department of Defense is addressing as it implements the 2013 National Defense Authorization Act. The NDAA provided a safe harbor for contractors who have DOD-approved vetting procedures, while requiring other contractors to pay for the cost of replacing counterfeit electronics that supply to a military system.
Previous NIST guidelines, as well as a change in the 2013 National Defense Authorization Act, have pushed contractors to report data breaches affecting government systems. The 2013 NDAA included a last-minute amendment added by Senate Armed Services Committee Chairman Carl Levin, D-Mich., that required cleared contractors to report on cyberattacks and grant the DOD access to information systems for security checks.
Contractors complained that the amendment’s initial language would have provided the DOD with open-ended access to data — even to the point of long-term confiscation of computer servers — with very few controls on how that information would be used or safeguarded. While the final version of the NDAA limits the amendment in a few key ways, requiring the DOD to safeguard trade secrets and commercial information and preventing the DOD from sharing the information outside of the agency, some said the change didn’t go far enough toward addressing contractors’ concerns.