However, they also raise a number of serious questions, according to the Cyber Secure Institute, a cybersecurity advocacy group in Washington, D.C.
When NIST released the final version of its “Recommended Security Controls for Federal Information Systems and Organizations,” it called the publication “historic in nature," hailing the guidelines as a critical component of the federal cybersecurity effort, potentially shaping the security approach of all unclassified federal IT systems.
Not everyone agreed.
“The standards are a good step forward, but I think that they leave some questions open, and they certainly didn't go as far as they could have,” Rob Housman, executive director of the Cyber Secure Institute, told SCMagazineUS.com Wednesday.
For the first time, NIST included security controls in its catalog for both national security and non-national security systems, according to the announcement. The NIST security control catalog incorporates best security practices developed by various government agencies.
“This final publication represents a solidification of the partnership between the Department of Defense, the intelligence community, and NIST and their efforts to bring common security solutions to the federal government and its support contractors,” Ron Ross, senior computer scientist and information security researcher at NIST, said in a news release. “The aim is to provide greater protection for federal information systems against cyberattacks.”
NIST said it has incorporated the most broad-based and comprehensive set of safeguards and countermeasures ever developed, with a standardized set of management, operational and technical controls – providing a common specification language for federal information systems.
The issues that are most problematic, however, include concerns that the baseline controls provide protections against '”highly skilled, highly motivated, and well resourced” threats only for high-impact systems, said Housman, and do not apply to vast numbers of federal IT systems that, if breached, could cause major implications.
In addition, the recommendations do not provide a mechanism for certifying or validating that specific IT systems meet the NIST requirements they are being deployed to fulfill.
“I think that NIST is disjointed from the administration's call to action,” Housman said. “I think that NIST missed an enormous opportunity. It could have used the federal IT market as a driver for more security. They could have set up the market dynamics and challenged the industry to get out of the status quo. But they didn't, and I think that was unfortunate.”