The data breach of 22.1 million records at the Office of Personnel Management (OPM) stands out among 2015’s disastrous security incidents as one of the most analyzed. Experts claim this catastrophic incident is a symptom of a larger problem in government cyber security, indicating a shortcoming of compliance standards for securing organizations.
Now, about a year after the OPM incident, the National Institute of Standards and Technology (NIST) has unveiled updated security system standards to bring its guidance more in line with the cyber security and privacy needs of private- and public-sector organizations.
Earlier in May, NIST released a second draft of the Special Publication 800-160, which offers organizations guidance for prioritizing assets and selecting security tools. The revised document is now open to public commentary, but as it stands, the most substantial changes include:
- Adjustment to fit the organization: Rather than being a specific protocol for implementing secure systems, Special Publication 800-160 is designed as a resource to support security engineers in meeting their organizations’ critical security goals.
- A new way of selecting security controls: In alignment with its handbook-style approach, the NIST document has taken a new position on selecting security controls. Under the old standards, security controls are applied based on categories assigned by the Federal Information Processing Standard. In contrast, the new guidance will base security controls on the organization’s critical needs.
- Covers the full lifecycle: According to NIST Fellow Dr. Don Ross, speaking in an interview with Federal News Radio, the new documentation will “cover every aspect; wherever security touches an aspect of an enterprise, it’s addressed in 800-160, so it’s a holistic view.” The draft has expanded from its previous iteration, now covering 30 processes instead of just 14. Organizations can start with the processes most critical to them for a gradual, comprehensive buildout.
Compliance efforts in security systems engineering will need to align with the most critical cyber security need of any organization. As your organization prepares to work through the NIST guidance, keep in mind that Lunarline has the expertise and innovative technologies to help you make sure your systems are engineered for security.
Visit Lunarline.com for information on our security engineering, managed security and other services that can improve your cyber security posture. Or drop us a line, and one of our experts will be in touch to discuss your organization’s needs.