Let's talk about NIST
Since the creation of the TCP/IP protocol in 1983, that created the building blocks of the internet we know and love today, the technological world that we live in is rapidly evolving. Every innovation that advances the internet and its beneficiaries also creates new issues for cybersecurity to solve. These issues can lead to the theft of our PII (Personally Identifiable Information) and the theft of the government and our leading companies’ information. In order to combat this, the United States government created FISMA.
What is FISMA?
FISMA stands for the Federal Information Security Modernization Act and was created in 2002 when we had luckily survived the Y2K bug and the true dawn of the internet had begun. Before this point, the internet was primarily used by large corporations, the government, and the extremely wealthy. Nowadays just about anyone in the US can afford a device with an internet connection. Understanding that the future of the modern world would be through the internet, the government created FISMA, which is the requirement for all federal agencies to develop, document, and implement an agency-wide program to provide information security for all government assets. Since it was 2002 and most of the people voting on the bill didn’t know how the internet worked, they left the bill very generic and tasked NIST with creating the standards that FISMA required.
What is NIST?
NIST is the National Institute of Standards and Technology and was created by the US Congress in 1901. They were tasked with assembling standards for scientific terms we know today, like length, mass, temperature, light, and time, and the means to get these standards to the public in a way that could be more easily understood. Things that we take for granted today, like measurements on packaging to tell us how much we are buying or how big or small a certain cabinet for our kitchen, could’ve been debated back in the early 20th century. NIST rolled out multiple standard measurements that all companies and people must use to iron out these problems. Over 100 years later, NIST is the leading light in multiple categories of developed standards, including Artificial Intelligence, Climate, Communication, Cybersecurity, Health, Infrastructure, Manufacturing, and Quantum Science.
Inside the cybersecurity sector at NIST, there are multiple subcategories that deal with cryptography, cybersecurity measurements, privacy engineering, emerging technologies, trustworthy platforms, cybersecurity awareness and training, identity and access management, and risk management. Each of the cybersecurity topics dives deeper into what is needed to properly secure all risks associated with that category of vulnerabilities. As stated on our site, the group at Purdue cyberTAP works in accordance with NIST standards and leverages their ideas for training, vulnerability and risk assessments, penetration testing, and policy and procedure creation.
As cybersecurity came to the forefront of companies’ needs, NIST created the NICE framework. NICE stands for National Initiative for Cybersecurity Education and is the building block for describing the tasks, knowledge, and skills needed to perform cybersecurity work by individuals and teams. The NICE framework provides a consistent, hardened security measure for all industry employees to learn together so that all companies are aware of the best way to provide security against small and large risks and vulnerabilities. The training section of NICE utilizes multiple other organizations that provide certifications, assessments, and other trainings/courses that reference NIST in their trainings. These organizations include, but are not limited to, Cisco, CompTIA, Fortinet, NetCom, Sans and GIAC, and more.
Vulnerability and Risk Assessments
To properly assess and manage risk, NIST created the RMF which stands for Risk Management Framework and provided controls that, if implemented correctly, can help identify, assess, correct, and manage current and future vulnerabilities and risks. If you want to look at all the different controls the RMF has identified, please feel free to go to NIST’s site at https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/controls?version=5.1 Every control is identified by its control family and is categorized by two letters. For example, AC stands for Access Control, AT stands for Awareness and Training, etc. Each of these families of controls shows the level of impact as well as what is considered a baseline control that all companies should be able to fall back on in case of a security breach. Most baselines consider the use of good policies and procedures as a good privacy control baseline to recover from a security disaster.
On NIST’s site, you can find multiple tools and resources regarding penetration testing. According to a partner of NIST (CISA) that is referenced on their site, penetration testing is described as “testing the security of a computer system and/or software application by attempting to compromise its security, and in particular the security of the underlying operating system and network component configurations.” (https://www.cisa.gov/uscert/bsi/articles/best-practices/security-testing/adapting-penetration-testing-software-development-purposes#penetration-testing-tools-categories) Then they go into more detail on what exactly penetration testing is and how it operates, what are the strengths and limitations of penetration testing, some of the best tools to use for testing, and the framework to properly set up and implement penetration tests. These are the standards that they expect companies to adhere to when performing substantive testing on their network environment.
Policy and Procedure Testing
Inside of the RMF on NIST’s site, they reference the Prepare step which includes identifying key risk management roles at your company, what a proper risk assessment looks like, how to identify proper controls to secure your network, and how to create policies and procedures. This link (https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/01-Prepare%20Step/NIST%20RMF%20Prepare%20Step-FAQs.pdf) takes you to a PDF that describes these steps in detail and helps identifies the controls that you should base your policies and procedures on. Once you have made your policies and procedures and saved them for the correct personnel to adhere to, then you should regularly check to make sure these are being updated as your network environment evolves and changes over time.
Utilizing NIST and all its tools and resources can help make your company more secure and maintain reliable and consistent standards that are easily accessible. NIST is constantly updating its standards to adapt to modern-day network risks and attacks. The best way for your company to stay up to date is to utilize the NIST framework to combat cyberattacks that may come your way.
About the author