Last Updated on November 23, 2020
The US National Institute of Standards and Technology (NIST) is responsible for developing standards and guidelines for the US government. But NIST is very keen to support US private sector organizations as well.
In the realm of information security, how does NIST guidance relate to leading worldwide information security standards—especially the ISO 27000 family of standards?
On a recent episode of The Virtual CISO Podcast, we got the best possible answer to that pivotal question from none other than Dr. Ron Ross, who heads development of NIST’s cybersecurity and privacy publications.
“It has always been our goal… to harmonize all this guidance. But the problem really goes back to NIST SP 800-53 [Security and Privacy Controls for Information Systems and Organizations, from which NIST SP 800-171 of CMMC fame is derived],” Dr. Ross recalls. “When we first developed that document, ISO 27001 and ISO 27002 were already in print. The problem was the depth and breadth of the [ISO 27001] controls wasn’t sufficient for what we want to do in the federal government.”
“It’s not a criticism; it’s just a recognition that we have to go a little deeper and a little broader for our particular missions,” clarifies Dr. Ross. “Our first goal is always to create an international level standard. That’s better for US industry because many of our companies compete globally now. So, it’s not a lot of fun to comply with two standards: ISO and the NIST guidance. But that was something we had to do.”
“When you do an ISO standard, you’ve got to have agreement with [something like] 180 countries, and that’s hard to do,” Dr. Ross adds. “There are a lot of compromises made, and you try to get the best product you can with the greatest consensus. … We just haven’t found a way to do that yet.”
So… never the twain shall meet? Maybe not completely, given the specific needs of US government agencies. But there is a lot of deliberate overlap and cross-referencing between NIST’s efforts and those of ISO.
As Dr. Ross points out: “The good news is every time we release [a new revision of] 800-53, ISO 27001 folks are looking at that. And every time they release a new update, we are looking at what they have done. So, we are trying to keep up with each other.” “So we tried to get as close a mapping as we could from the NIST 800-53 controls to the ISO 27001 or ISO 27002 controls. And that would mean that the federal agency could make that decision, if they’re working with a contractor that has an ISO 27001 certification. They could actually decide, if you haven’t done all of the controls in the [NIST] Moderate baseline, but you’ve done maybe two-thirds or three-quarters, we’ll give you credit for that. If you can show the evidence and then you can work on the gap, that’s a whole lot better than having to go back and waste all that time and money,” explains Dr. Ross.
NIST also puts tremendous effort into cross-referencing its cybersecurity guidance with ISO 27001 and other leading cyber standards. But are those mappings all they’re cracked up to be?
“You know mappings are always subjective,” Dr. Ross points out. “Unless you’re using first order predicate calculus, you’re not going to get an exact mapping. But mappings are important for our customers—and that’s the reason we do what we do. We are all about our customers and if they’re successful then that means we’ve done our job.”
Dr. Ross continues: “Just think: from a business perspective, many of our federal agencies have lots of different contractors. Many of these contractors who are supporting them are also working globally. So they may have already done an ISO certification on a scope of applicability for an ISO 27001 set of controls. The reason the mapping is important is that’s actually value–added. We shouldn’t always want to have them implement controls again, just because they’re from the NIST catalog.”
“I think we’re trying to be practical,” asserts Dr. Ross. “It’s all risk management. It’s not about some utopia or some perfect world. It’s about making real decisions; real, credible risk-based decisions every day, as you try to carry out these various complicated missions that the feds and the private sector have to carry out.”
If you need to rationalize multiple information security guidelines to meet overlapping compliance requirements or address specific stakeholder concerns, this show with Dr. Ron Ross at NIST will be solid gold for you.
To hear this episode in its entirety, and also check out our many other information security podcasts, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you’ll find all our episodes here.
“So we tried to get as close a mapping as we could from the NIST 800-53 controls to the ISO 27001 or ISO 27002 controls. And that would mean that the federal agency could make that decision, if they’re working with a contractor that has an ISO 27001 certification. They could actually decide, if you haven’t done all of the controls in the [NIST] Moderate baseline, but you’ve done maybe two-thirds or three-quarters, we’ll give you credit for that. If you can show the evidence and then you can work on the gap, that’s a whole lot better than having to go back and waste all that time and money,” explains Dr. Ross.