Last Updated on November 19, 2020
If you’re not into the nitty-gritty of cybersecurity controls and compliance, you may not have heard of the US National Institute of Standards and Technology (NIST). Formerly called the National Bureau of Standards, these are the folks who develop standards and guidelines for US federal government entities. But they also create globally respected guidance for voluntary use in the public sector as well.
What’s the best way for a typical SMB to get the benefit of NIST’s amazing work?
On a recent episode of The Virtual CISO Podcast, that was host John Verry’s first question to Dr. Ron Ross, who heads development of NIST’s cybersecurity and privacy standards.
“We get this question quite often, because as you would imagine, our customer base is very broad and deep,” states Dr. Ross. “All the federal agencies are required to use our standards and guidelines. But we have a lot of customers in the private sector, ranging from Fortune 500 companies down to small mom-and-pops. And while some of our guidance is very technical, there’s a way to apply it to any type of organization.”
Dr. Ross continues: “One example I use is the notion that every organization needs a contingency plan today for potential cyber attacks. If you’re the Department of Homeland Security, your contingency plan for cyber might be 500 to 1,000 pages; very detailed, very complicated. But if you’re a small mom–and–pop, let’s say a doctor’s office or some small business, you can take the same concepts, which just happen to be in our special publication on contingency planning, NIST SP 800-34, and apply them to your small business. Your contingency plan may be only four or five pages, but it would be the essence of what you need to do to withstand that attack and then make sure your business can keep operating.”
“Whatever the mission, the business operations, your environment of operations, the type of technology you’re using—all of those things can be customized and applied to the largest or the very smallest of organizations,” emphasizes Dr. Ross.
For organizations of any size looking to align their information security posture with best practices, NIST offers two foundational publications:
- Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems
- NIST Special Publication (SP) 800-30, Revision 1, Guide for Conducting Risk Assessments (which John Verry calls “The Bible” of all NIST guidance for cyber)
Both these documents start from the core concept of understanding and managing risk—especially risk to your data.
Dr. Ross likens this seminal NIST guidance to the idea of triage in battlefield medicine: “We came up with a system saying, ‘Look, categorize your data, and then that data will drive a system categorization.’ And we provided three categories: low, moderate, and high, [meaning] low impact, moderate impact, or high impact to your mission or your business.”
“At the time, people said, ‘Well, maybe 3 categories are not enough.’ And we toyed with having 10 and 7 and 5, but we wanted to make it simple. And the triage concept really was the motivation for that standard,” Dr. Ross adds.
Even in today’s relentlessly expanding realm of information infrastructure complexity, with trillions of lines of code connecting across billions of devices, FIPS 199 and SP 800-30 can help you, as Dr. Ross puts it, “… work this problem from the big, big, complex problem down to more manageable problems, and understanding the criticality of your data and your systems as step number one. And then from that, you can do a risk assessment. But again, everything in cyber is local.”
So, risk assessment is where you begin, your data is what you focus on first, and every company’s risk, data and scope are unique. Applying NIST’s guidance step-by-step, you’ll identify the steps you need to take on your unique journey to regulatory compliance, provable security for stakeholders, and so on.
If you’re involved in cybersecurity and/or privacy compliance, implementation, management, etc., don’t miss this podcast episode with Dr. Ron Ross on how to leverage NIST publications to further your cause.
To hear this show, and browse a growing number of other awesome discussions on information security topics, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can access all our episodes here.