Fed data protection guidelines released to some criticism

Share this article:
Fed data protection guidelines released to some criticism
Fed data protection guidelines released to some criticism

The National Institute of Standards and Technology's (NIST) final recommendations for national cybersecurity, released Friday, make important strides in a number of key areas.

However, they also raise a number of serious questions, according to the Cyber Secure Institute, a cybersecurity advocacy group in Washington, D.C.

When NIST released the final version of its “Recommended Security Controls for Federal Information Systems and Organizations,” it called the publication “historic in nature," hailing the guidelines as a critical component of the federal cybersecurity effort, potentially shaping the security approach of all unclassified federal IT systems.

Not everyone agreed.

“The standards are a good step forward, but I think that they leave some questions open, and they certainly didn't go as far as they could have,” Rob Housman, executive director of the Cyber Secure Institute, told SCMagazineUS.com Wednesday.

For the first time, NIST included security controls in its catalog for both national security and non-national security systems, according to the announcement. The NIST security control catalog incorporates best security practices developed by various government agencies.

“This final publication represents a solidification of the partnership between the Department of Defense, the intelligence community, and NIST and their efforts to bring common security solutions to the federal government and its support contractors,” Ron Ross, senior computer scientist and information security researcher at NIST, said in a news release. “The aim is to provide greater protection for federal information systems against cyberattacks.”

NIST said it has incorporated the most broad-based and comprehensive set of safeguards and countermeasures ever developed, with a standardized set of management, operational and technical controls – providing a common specification language for federal information systems.

The issues that are most problematic, however, include concerns that the baseline controls provide protections against '”highly skilled, highly motivated, and well resourced” threats only for high-impact systems, said Housman, and do not apply to vast numbers of federal IT systems that, if breached, could cause major implications.

In addition, the recommendations do not provide a mechanism for certifying or validating that specific IT systems meet the NIST requirements they are being deployed to fulfill.

“I think that NIST is disjointed from the administration's call to action,” Housman said. “I think that NIST missed an enormous opportunity. It could have used the federal IT market as a driver for more security. They could have set up the market dynamics and challenged the industry to get out of the status quo. But they didn't, and I think that was unfortunate.”

 

Share this article:

Sign up to our newsletters

More in News

In Cisco probe, misuse or compromise spotted on all firms' networks

In Cisco probe, misuse or compromise spotted on ...

Cisco analyzed the business networks of 30 multinational companies last year, and revealed the findings in its 2014 Annual Security Report.

Fareit trojan observed spreading Necurs, Zbot and CryptoLocker

The Necurs and Zbot trojans, as well as CryptoLocker ransomware, has been observed by researchers as being spread through another trojan, known as Fareit.

Post Heartbleed, tech giants join initiative to bolster open source

Post Heartbleed, tech giants join initiative to bolster ...

The newly formed Core Infrastructure Initiative, created to boost under-funded open source projects, will tackle OpenSSL first.