NIST Risk-Assessment Framework Shapes Federal Cybersecurity Strategy
Feb 12, 2016 5:00 AM PT
The U.S. government is under pressure to improve cybersecurity and is meeting that challenge with a commitment to substantially enhance spending for protecting IT systems. The Obama administration projected that the federal budget for cybersecurity spending in fiscal 2016 would be about US$14 billion -- an increase of $1.4 billion from 2015.
That funding level represents strong support not only to safeguard agency operations, but also to protect millions of citizens whose personal data resides on federal IT systems. It also represents the emergence of a huge market for commercial providers of cybersecurity products and services.
Individual federal agencies have their own plans for cybersecurity investments, and the Obama administration has directed some funding toward projects that have an impact across government. Those include a proposed $243 million for research and development to support innovative cybersecurity technologies at federal agencies.
Clues to Security Investments
A significant element that will shape future investments is the government-wide strategy for assessing risk and developing measures to achieve a common security goal. Such a strategy could have an investment impact equal to that of any specific hardware or software purchase, and provide important clues to vendors for successfully marketing their cybersecurity offerings to federal customers.
A survey of federal agency IT professionals conducted by Dell identified that strategy. Most federal agencies have found a common cybersecurity strategy in the "Framework for Improving Critical Infrastructure Cybersecurity," issued by the National Institute of Standards and Technology in early 2014, according to results of the survey.
An overwhelming 82 percent of survey respondent organizations were utilizing the NIST framework to improve their cybersecurity activities, Dell reported last month.
"As security threats continue to increase in sophistication and frequency, holistic, end-to-end security is crucial," said Paul Christman, vice president, federal, at Dell Software. The NIST framework "can serve as an excellent resource for government."
Beyond Patchwork Solutions
Briefly, the NIST framework is designed to provide a comprehensive and proactive approach to addressing cybersecurity issues, versus short-term, reactive, "finger in the dike" patch-ups.
The plan involves a core element composed of industry standards, guidelines and practices that allow for communication of cybersecurity activities and outcomes from the executive level to the operations level, according to NIST. Core cybersecurity functions are designated as identify, protect, detect, respond and recover. Taken together, the functions provide a high-level, strategic view of the life cycle of an organization's management of cybersecurity risk.
In addition to the core, the NIST plan provides tools to assess the application of cyber protection measures to specific business needs and outcomes, referred to as "profiles." Finally, the program defines several levels or tiers to assist users in prioritizing risk scenarios and resource requirements. The critical infrastructure objective generally refers to utility, financial, transport and governmental elements of the economy, but the approach can be applied more broadly to other segments as well.
Seventy-four percent of federal organizations using the framework said it served as a foundation for their individual agency cybersecurity programs, the Dell survey found. As a further indicator of the value of the NIST program, 68 percent of survey respondents said they looked to the framework to improve organizational security, and 39 percent used the framework to create a uniform approach to discussing security throughout their agencies.
Dell has been talking with the federal government about efforts to enhance cybersecurity, and it supported the survey as part of that effort.
"We wanted to validate what we were hearing from customers. We were getting a lot of inquiries as to how our offerings would fit into the framework," Dell's Christman told the E-Commerce Times.
The feedback to Dell related more to overall processes for improving cybersecurity than to defined offerings, he said. "This wasn't focused on whether an agency should purchase a specific product from Dell or one of our competitors. Instead it provided a common language that gave our customers a way of articulating what they want to achieve."
Inquiries came from a broad range of entities, including commercial and federal, and the survey canvassed respondents in both the public and private sectors. The idea was to determine what capabilities within Dell's resources matched up with customer objectives, although ultimately discussions related to the framework have resulted in some additional federal procurements for Dell.
"Regardless of mission, industry, data type or threat factor, organizations can use the NIST framework to strengthen their security posture, develop and enhance cybersecurity road maps, improve organizational security, and create a uniform security language," Christman said.
Support Emerges in Security Suggestions
A separate initiative designed to assist agency efforts to improve cybersecurity also supported federal agencies' use of the NIST program. Last month, the American Council for Technology and the Industry Advisory Council released a document offering more than 100 recommendations for bolstering federal cybersecurity protection.
ACT-IAC is a forum for private sector and government cooperation on information technology issues.
Among the suggestions is a provision to hold federal agencies accountable to the NIST framework "by implementing metrics for the framework and assessing agency capabilities by independent evaluation."
"The framework can provide a consistent approach to assess strengths, weaknesses and opportunities for improvement. That consistency can enable cross-agency comparisons, identification of best practices, and collaboration to improve cybersecurity programs," said Mike Howell, senior director, Institute for Innovation and Special Projects at ACT-IAC.
"Leveraging the framework and related metrics, in concert with other actions like the Federal Information Security Management Act reporting, could improve the transparency and accountability of federal cybersecurity programs," he told the E-Commerce Times.
The Dell survey, conducted by Dimensional Research, involved 150 federal IT professionals in government units with at least 1,000 employees. The research was performed in coordination with a canvass of more than 300 respondents in other industries. Results were reported in December.
The ACT-IAC initiative involved a broad cross section of industry, government and academic respondents and included follow-up brainstorming sessions.
Other findings in the Dell survey shed light on additional factors affecting the status of cybersecurity conditions at federal agencies.
For example, survey respondents reported that federal employees pose the greatest danger to cybersecurity, noting that "disgruntled or malicious" employees represented 32 percent of the cybersecurity danger at federal agencies. A second group of "uneducated or careless" employees represented 32 percent of the danger.
Threats from "external parties posing as insiders" accounted for 37 percent of the cybersecurity risk.
Given the high incidence of employee-related risk, one interesting finding was that 84 percent of federal survey respondents said they were confident their agencies had adequate resources and guidance to guard against insider threats. Also, 92 percent of respondents said employees within their agencies have access to more information than is necessary for their work.