Fed data protection guidelines released to some criticism

Share this article:
Fed data protection guidelines released to some criticism
Fed data protection guidelines released to some criticism

The National Institute of Standards and Technology's (NIST) final recommendations for national cybersecurity, released Friday, make important strides in a number of key areas.

However, they also raise a number of serious questions, according to the Cyber Secure Institute, a cybersecurity advocacy group in Washington, D.C.

When NIST released the final version of its “Recommended Security Controls for Federal Information Systems and Organizations,” it called the publication “historic in nature," hailing the guidelines as a critical component of the federal cybersecurity effort, potentially shaping the security approach of all unclassified federal IT systems.

Not everyone agreed.

“The standards are a good step forward, but I think that they leave some questions open, and they certainly didn't go as far as they could have,” Rob Housman, executive director of the Cyber Secure Institute, told SCMagazineUS.com Wednesday.

For the first time, NIST included security controls in its catalog for both national security and non-national security systems, according to the announcement. The NIST security control catalog incorporates best security practices developed by various government agencies.

“This final publication represents a solidification of the partnership between the Department of Defense, the intelligence community, and NIST and their efforts to bring common security solutions to the federal government and its support contractors,” Ron Ross, senior computer scientist and information security researcher at NIST, said in a news release. “The aim is to provide greater protection for federal information systems against cyberattacks.”

NIST said it has incorporated the most broad-based and comprehensive set of safeguards and countermeasures ever developed, with a standardized set of management, operational and technical controls – providing a common specification language for federal information systems.

The issues that are most problematic, however, include concerns that the baseline controls provide protections against '”highly skilled, highly motivated, and well resourced” threats only for high-impact systems, said Housman, and do not apply to vast numbers of federal IT systems that, if breached, could cause major implications.

In addition, the recommendations do not provide a mechanism for certifying or validating that specific IT systems meet the NIST requirements they are being deployed to fulfill.

“I think that NIST is disjointed from the administration's call to action,” Housman said. “I think that NIST missed an enormous opportunity. It could have used the federal IT market as a driver for more security. They could have set up the market dynamics and challenged the industry to get out of the status quo. But they didn't, and I think that was unfortunate.”

 

Share this article:

Sign up to our newsletters

More in News

Report: SQL injection a pervasive threat, behavioral analysis needed

Report: SQL injection a pervasive threat, behavioral analysis ...

Long lag times between detection and resolution and reliance on traditional methods impair an organization's ability to combat SQL injection attacks.

WhatsApp bug allows for interception of shared locations

Researchers identified a vulnerability in WhatsApp that could enable an attacker to intercept shared locations using a man-in-the-middle attack, or a rogue access point.

Google tweaks its terms of service for clarity on Gmail scanning

The company is currently dealing with a lawsuit that challenges its email scanning practices.