When working with cybersecurity, it helps to get a handle on the context in which these requirements were created in order to understand how to navigate the requirements. This article addresses the background of the NIST, and what security frameworks were created to protect our nation against security threats. 

Understanding the History NIST

The National Institute of Standards and Technology is a branch of the U.S. Department of Commerce that controls the safety, quality, and precision standards of science and labor. They are one of the most impactful scientific research institutions in our history; their research-backed standards have paved the way for thousands of inventions, birthed entire industries, and conceived new fields of science. Yet many people have never heard of it.

NIST was founded in 1901 as the National Bureau of Standards. This National Bureau of Standards was the very first physical science research facility in the United States. The Bureau contributed a very wide variety of scientific advancements throughout its history that Americans still utilize today – from electricity safety codes to the first guided missile. For example, they published several handbooks for the American public in the 1910s alerting them to the potential dangers of electricity and hazards within the home. The Bureau were the first to start building national computer systems in 1950; in 1954 they invented a more efficient way to convert instructions from handwritten paper to computer code with the birth of the Film Optical Sensing Device for Input to Computers.

The Bureau of Standards focused heavily on physics and computer science during much of the 1970s and released the very first data encryption standard in 1977. The agency was renamed the National Institute of Standards and Technology, referred to as NIST, in 1988.

Why Were the NIST Security Standards Created?

As technology has continued to advance and become vital in our everyday working lives, the concerns about national intelligence has been top of mind for professionals working to solve problems and track threats to our nation’s safety and security. These concerns have come from inside and outside government organizations. Many businesses who work with the government have taken the safety of our nation’s intelligence seriously, however, the process to preserve and protect this information was being conducted on a business by business basis. This required a lot of research and development. In addition, because there are so many departments and levels of work needed by the government, there was no set standard of review for security measures to ensure a contractor could perform the tasks requested in a safe and secure manner. Because this time and cost was prohibitive for many new businesses wishing to work with the government and there was no set process for evaluating whether or not classified information was securely protected when a contractor obtained that information, there was a need to standardize the security requirements necessary. 

The NIST started consulting with federal, state, local, and tribal governments to solve this problem. Bringing in private sector organizations to support and evaluate security measures has become a vital part of ensuring our nation’s confidential information is protected. Due to the fact that technology is constantly changing, the NIST requirements and procedures are evaluated regularly to ensure that businesses do not have to create their own standards of safety for protecting Controlled Unclassified Information (CUI). The certification standards required by the NIST are built around open communication with private businesses who serve government departments such as the Department of Defence, The Office of Management and Budget, The Director of National Intelligence, and so many more to avoid duplication of work, flush out security threats that could easily affect many organizations, and to ensure new contractors have the resources and cost-effective solutions to compete in the bidding process. The NIST’s goal is to map out a standard of security and identify gaps in the control of security to ensure the protection of our nation and the CUI that contractors must work with in order to perform their jobs. 

How NIST Started Focusing on IT Security Standards

In the early 2000s, NIST consolidated into six laboratories for specific sciences across the country. The Information Technology Laboratory (ITL) is in Maryland and “focuses on IT measurements, testing, and standards,” according to their website. ITL’s research follows three specific aspects of information technology. The first is general research into all related fields such as mathematics and computer science, the second is “applied IT research and development,” and the third concentrates on IT standards development.

NIST ITL (Internet Technology Laboratory – the branch focused on cybersecurity) sets scientific and technical standards for federal agencies and U.S. industry, the standards are free for use by any organization worldwide. In 2013, NIST, guided by executive order, developed a cybersecurity framework or (CSF). The goal of the CSF was to protect the nation’s critical infrastructure. With legislative direction over time, the goal shifted to developing cross industry cybersecurity frameworks. Over time, NIST will continue to produce new frameworks and guidelines. Several NIST security standards already exist. Each set of standards was created for a specific purpose. In this post, we will start to look at what the different NIST standards are.

What are the Security Standards?

There are several security standards targeted at different portions of the US government and their contractors. To get a taste of what these are we will break down a few.

NIST Cybersecurity Framework (CSF) v1.0, v1.1

CSF v1.0 and CSF v1.1 are designed to help manage and reduce cyber security risk for critical infrastructure. The Department of Homeland Security (DHS) defines critical infrastructure as follows:

“Critical infrastructure describes the physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.”

These documents are based on existing standards, best practices, and guidelines from the time when they were created. Version 1.0 came out in 2014, while version 1.1 is a revision from 2018. The NIST Cybersecurity Framework references other security models such as COBIT, ISO 27001, NIST 800-53 and CIS (Center for Internet Security). These documents, while aimed at critical infrastructure, can be used by any industry. Compliance is voluntary for non-federal operations and the documents provide guidance for self-evaluation. There is a lot going on in the scope of the CSF. Subcategories that have been defined are more targeted. For example, the Manufacturing Profile document is a narrowing of scope focused on manufacturing systems cybersecurity issues. 

What is NIST Special Publication (SP) 800-53?

SP 800-53 was created to meet the requirements of the Federal Information Security Modernization Act (FISMA). If you are a federal agency, contractor or subcontractor with computer systems directly connected to a federal network, 800-53 applies to you. Revision 4, 800-53 has 18 control families (categories) with a total of 965 controls. Revision 5 which was released in 2020 merges the Privacy controls from Rev. 4 Appendix J right into the core Revision 5 controls.  Revision 5 also adds supply chain controls and processes. As of now, compliance is equated to self-attestation or 3^rd party attestation. Where you or a 3rd party auditor can supply documents regarding your compliance with the cybersecurity standards required.

What is NIST Special Publication (SP) 800-171?

SP 800-171 was created for DoD contractors to demonstrate compliance with Defense Federal Acquisition Regulation Supplement (DFARS) for handling Controlled Unclassified Information (CUI). It looks remarkably like the 800-53, however it is much more limited in scope. It is made up of 110 controls in 14 control families. Again, compliance is through self-attestation or 3^rd party attestation.  

A DFARS amendment was published in 2019 that modified and enhanced portions of NIST 800-171 and can be found here. The two main changes are that; after November 30, 2020 clause 7019 of the amendment specifies that any business will need to have a record of attestation in the Supplier Performance Risk System (SPRS) not older than three years.  The other main change, clause 7020 of the amendment also requires that any company doing business under an awarded contract allow the government to access its facilities, systems and personnel to verify the validity of the NIST 800-171 assessment. This testimony on record being renewed every 3 years is vital to the fact that technology changes so quickly, and new systems and processes being introduced can become overlooked from a cybersecurity standpoint.

“1. Contractor ‘self-attests’ to compliance with DFARS 252.204-7012 and implementation of NIST SP 800-171 (Status Quo with DFARS 252.204-7008)”

Understanding The Cybersecurity Maturity Model Certification (CMMC)

The CMMC is not part of the NIST framework and is based off and extends the entirety of the NIST 800-171. The CMMC is a unified cybersecurity framework, aimed at the protection of CUI. CMMC is being split into two portions. 

• One area focuses on the controls, process and guidelines for certification.  
• The other area is an accreditation body.  

CMMC-AB is the entity that has been created to be the accreditation body.  

The CMMC draws from the lessons learned with all the earlier security models. Many controls are the same as those contained in SP 800-53 and SP 800-171, however the approach has changed. 

Government contracts using CMMC should clearly define the required portions of CMMC necessary to be eligible to be awarded the contract. The compliance focus has shifted from self-attestation, to training, accreditation, and credentialing. This has been implemented because the self-attestations were becoming an accountability problem. Some contracting organizations had developed limited follow through on the documented processes they attested their organizations were required to follow. Because of this, in order to achieve CMMC compliance, you will undoubtedly need to involve a third-party audit. CMMC is actively being used for DoD contracts as of late 2020. Many other government agencies are anticipated to  follow. The Chief Information Security Officer for Acquisition and Sustainment, Ms. Katherine Arrington, supports strict cybersecurity compliance.

 “We understand that there’s going to be a cost to this, but when we’re losing $600 billion a year, if I have to put $1 billion in to make sure that we protect ourselves, it’s a huge return on investment,” Arrington said. “More importantly, [we’re] investing in ensuring our supply chain remains whole.”

How CubedCorps Is Participating in NIST Certification & Compliance 

We, at CubedCorps Cyber Security, have been working in all four of the referenced security frameworks and other related frameworks (such as ISO 27001) and can perform 3^rd party attestations for your organization.  Please check out our blog post about how to start writing policies for your first ISMS.  CubedCorps has extensive experience in assisting and creating cyber security ISMS frameworks. We have also developed various security frameworks and audit preparation processes. Contact us today for more information!