Fed data protection guidelines released to some criticism

Share this article:
Fed data protection guidelines released to some criticism
Fed data protection guidelines released to some criticism

The National Institute of Standards and Technology's (NIST) final recommendations for national cybersecurity, released Friday, make important strides in a number of key areas.

However, they also raise a number of serious questions, according to the Cyber Secure Institute, a cybersecurity advocacy group in Washington, D.C.

When NIST released the final version of its “Recommended Security Controls for Federal Information Systems and Organizations,” it called the publication “historic in nature," hailing the guidelines as a critical component of the federal cybersecurity effort, potentially shaping the security approach of all unclassified federal IT systems.

Not everyone agreed.

“The standards are a good step forward, but I think that they leave some questions open, and they certainly didn't go as far as they could have,” Rob Housman, executive director of the Cyber Secure Institute, told SCMagazineUS.com Wednesday.

For the first time, NIST included security controls in its catalog for both national security and non-national security systems, according to the announcement. The NIST security control catalog incorporates best security practices developed by various government agencies.

“This final publication represents a solidification of the partnership between the Department of Defense, the intelligence community, and NIST and their efforts to bring common security solutions to the federal government and its support contractors,” Ron Ross, senior computer scientist and information security researcher at NIST, said in a news release. “The aim is to provide greater protection for federal information systems against cyberattacks.”

NIST said it has incorporated the most broad-based and comprehensive set of safeguards and countermeasures ever developed, with a standardized set of management, operational and technical controls – providing a common specification language for federal information systems.

The issues that are most problematic, however, include concerns that the baseline controls provide protections against '”highly skilled, highly motivated, and well resourced” threats only for high-impact systems, said Housman, and do not apply to vast numbers of federal IT systems that, if breached, could cause major implications.

In addition, the recommendations do not provide a mechanism for certifying or validating that specific IT systems meet the NIST requirements they are being deployed to fulfill.

“I think that NIST is disjointed from the administration's call to action,” Housman said. “I think that NIST missed an enormous opportunity. It could have used the federal IT market as a driver for more security. They could have set up the market dynamics and challenged the industry to get out of the status quo. But they didn't, and I think that was unfortunate.”

 

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.