The NIST Cybersecurity Framework (CSF) helps thousands of organizations around the world to better understand and improve their information security posture.
But that is just one of the National Institute of Standards and Technology (NIST) created frameworks in use by those in the industry.
The NIST Privacy Framework (PF) is now more than a year old. And the NIST Risk Management Framework (RMF) provides details for creating cyber policies through a risk-based approach.
Now, we are learning that more help from NIST is on the way.
The agency, part of the U.S. Department of Commerce, recently announced it is making new, bold pushes relating to information security and privacy for 2021 and beyond. They are things you may want to track, so let's take a look at these new developments.
NIST's 9 new privacy and cybersecurity priorities
The goal for NIST moving forward is to help government agencies, private sector organizations, and many others adapt to the "new normal" that so many people are talking about.
There is no doubt that the pandemic has brought about some permanent changes to our way of life and business, so NIST wants to help organizations navigate through these uncharted waters.
Here are NIST's nine priority areas of focus for the coming years:
- Enhancing risk management
NIST is diligently working to produce a "coordinated and cohesive portfolio of complementary resources" that can be used by all. It will turn to the public to look for ways to improve the CSF, as well as ways to better mesh the CSF, PF, and RMF together.
NIST has already begun to address the privacy issue in 2021 with the release of a new quick start guide for the framework. The guide will help organizations with limited resources to "get a risk-based privacy program off the ground or improve an existing one."
- Strengthening cryptographic standards and validation
NIST will look for new approaches to encryption and data protection that will protect from a quantum computer's attack. It is hosting a competition "to solicit, evaluate, and standardize lightweight cryptographic algorithms suitable for use in constrained environments." The results of this competition will help form the core of the first post-quantum cryptography standard.
- Cybersecurity awareness, training, and education and workforce development
NIST is using its National Initiative for Cybersecurity Education (NICE) to stress the importance of 'competencies,' a term which describes the cybersecurity skills and communication between an employer and learner.
- Metrics and measurements
NIST says that it will "aim to support the development of technical measurements to determine the effect of cybersecurity risks and responses on an organization's objectives." It also says it will use the National Vulnerability Database (NVD) for assigning and identifying metrics by industry.
- Identity and access management
NIST says that during 2021 it plans to resolve comments on FIPS 201 (the Standard behind the PIV Card and Derived PIV Credentials) and produce a final version this year. The final version will "expand the set of PIV credentials and allow remote supervised identity proofing."
- Trustworthy networks
NIST notes that there is "an urgent need to demonstrate the commercial viability of, and practical guidance for, secure IPv6-only enterprise deployment. With other agency and private sector collaborators at NIST's National Cybersecurity Center of Excellence (NCCoE), in 2021 we'll provide an approach and demonstrate the tools and methods for implementing IPv6, starting from an IPv6 in dual-stack mode and ending with an IPv6-only network." This is one of a few projects it is working on in the area of trustworthy networks. Others include NCCoE's 5G and Zero Trust cybersecurity efforts.
- Trustworthy platforms
NIST's DevSecOps efforts have resulted in support and guidance from stakeholders who attended recent workshops in 2021. It will look to help "integrate security into DevOps planning and processes and to inform new, practical and actionable guidance to fill any gaps, update existing guidance, and potentially develop NCCoE projects to demonstrate the practices."
- Securing emerging technologies
NIST is very aware that IoT devices are becoming more and more crucial to federal information systems and will look to the public to help guide drafts defining federal IoT cybersecurity requirements. The goal will be to ensure IoT devices are integrated into the security and privacy controls of federal information systems.
Want to learn more? You can read 2021: What's Ahead from NIST in Cybersecurity and Privacy? for more information.
Cybersecurity podcast: The Solar Winds Data Breach Impact, Part 1