What’s New in Meeting NIST Cybersecurity Guidelines
The second draft of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-160: Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems was released in May. This is the latest guidance that may impact private companies and how they meet compliance initiatives.
The Draft SP 800-160 is geared towards strengthening government systems’ security posture through engineering requirements and considerations throughout the system lifecycle. The guidance is meant to help agencies and the supporting contractor community protect their assets and choose supporting solution components to enhance the nation’s critical systems. New system security analyses will be required to demonstrate the addressable problem, the security solution, and the trustworthiness of the selected approach.
This latest compliance initiative is geared towards strengthening government systems’ security posture by designing strengths and check points across all components of the system. Although many companies are enhancing security controls across their systems, NIST SP 800-160 will incorporate more focus on the engineering methodologies and practices. As cloud and IoT companies direct their solutions to the Federal Government, evidence of supporting NIST SP 800-160 will be critical for demonstrating compliance.
NIST SP 800-160 codifies importance of other systems security and potentially impacts new Cloud and IoT systems coming to market
Complying with the recommendations can be time-consuming as many contingent issues, components, policies, and controls must be prioritized and addressed.
From establishing digital authentication processes to protecting CUI, awareness of security guidelines and the potential for new requirements involves more than go-to-market timelines and migration roadmaps. Companies that overlook changing requirements may find their innovative solutions and products being perceived as less secure than their competitors, or even worse, being in violation of existing mandates within their most profitable market.
Don’t forget NIST Special Publication 800-171
In addition to NIST SP 800-160, government agencies and private contractors need to identify a strategy to address NIST Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Compliance with 800-171 is required no later than December 2017. The new requirements mandate a holistic review of security practices, controls, policies, and roles and responsibilities. Some of the controls touch upon physical systems, personnel screenings, mobile device encryption, and data destruction. As a result, organizations may need to revisit their entire risk management strategy and strengthen policies, practices, and procedures across the technical, operational, and human capital facets of their business.
So what does this mean to you?
Government contractors need to closely monitor newly released and upcoming NIST Cybersecurity standards to ensure that they are in compliance with the latest security requirements. Establishing a unified approach to handling the required transformation of security systems and ensuring CUI protection will require new types of compliance and security support. This transition to holistic engineering design, thinking and operating in the complex Cloud and IoT spaces, can present a herculean task, even for the most sophisticated businesses.
CEOs, CIOs, and CISOs will need to dedicate time and resources to adequately adjust and reshape core business operations to meet the upcoming technical and compliance transitions and threats. Preparing early including evolving your corporate security strategy to a ‘systems of systems’ due diligence model will require the ability to have an outside perspective on the components and solution capabilities fielded by your company. See graphic above.
EmeSec is helping a number of companies get a head start on incorporating this outside view and support the internal teams to meet new requirements. Contact us today to start preparing for effectively meeting these new challenges for you.