NIST offers cyber self-assessment tool, updates email security guidance
Connecting state and local government leaders
The National Institute of Standards and Technology has come out with a self-assessment tool that should give organizations a better understanding of how they are progressing with security risk management efforts.
The National Institute of Standards and Technology has long been a national resource on cybersecurity, and its Cybersecurity Framework has been widely adopted in both government and private industry. The guidance, however, doesn’t come with many pointers to tell organizations how well they are deploying it.
Hearing the many pleas for some way of doing that, NIST has finally come out with a self-assessment tool that should give organizations a better understanding of how they are progressing with security risk management efforts. It’s asking for public comment on the current draft document.
The Baldrige Cybersecurity Excellence Builder pulls together two prized Commerce Department initiatives. The new tool incorporates elements of NIST’s Cybersecurity Framework, which was introduced in February 2014, and takes inspiration from the Baldrige Award, created in 1987 and named after the late Commerce Secretary Malcolm Baldrige.
The award begat the Baldrige Excellence Framework, which organizations can use to build performance-boosting programs. After that came the Baldrige Performance Excellence Program, managed by NIST, that also includes various self-assessment tools that can tell organizations how well they are doing.
As far as the Cybersecurity Framework goes, it’s proving to be as popular as the Baldrige program has been over the years, and there’s hope it might be as effective. Though it has its critics, the Cybersecurity Framework has so far been adopted by around 30 percent of U.S. organizations, according to Gartner, and that’s expected to rise to 50 percent by 2020.
The new assessment tool, according to NIST, guides users through a process that details their particular characteristics and strategic needs for cybersecurity and will enable them to:
- Determine cybersecurity-related activities that are important to business strategy and the delivery of critical services
- Prioritize investments in managing cybersecurity risk
- Assess the effectiveness and efficiency of using cybersecurity standards, guidelines and practices
- Assess cybersecurity results
- Identify priorities for improvement
At the end, the assessment will put the organizations at a certain maturity level -- reactive, early, mature or role model -- and from there, each organization can build out its own action plan for upgrades and cybersecurity improvements.
NIST is looking for comments on the first draft of the guidelines by Dec. 15.
Email security has also long been a focus for NIST, with its Special Publication 800-45 providing basic guidance. However, the most recent version of that guidance was published in early 2007 and the universe of security threats has much larger.
A new missive on Trustworthy Email, SP 800-177, seeks to plug the holes. Billed as complementary to 800-45, it provides more up to date recommendations for managing digital signatures, encryption, spam and more.
Man-in-the-middle attacks have become widespread, for example, as a way for bad actors to put themselves between the sender and receiver of a clear-text email so they can get information directly from the email. The NIST publication points out that these attacks can be prevented by encrypting email end-to-end and by implementing message-based authentication and confidentiality procedures.
There’s nothing especially new in the NIST email guidance, but even the basic recommendations mentioned in the document are often not implemented at organizations. Trustworthy Email should be useful, if for nothing else, for bringing all the current standard methods of protecting email together into a focused resource for email and network administrators and information security managers.
NEXT STORY: How LA corralled its security data