Is the NIST Risk Management Framework poised to become a national cybersecurity standard?

A lot of organizations, including small businesses and critical infrastructure operators, might soon get new technical security requirements from the federal government. This will probably be very costly, especially for small businesses that don’t already implement the kinds of security measures that are standard for large federal contractors. I’ll give a brief overview of two efforts: a bill in the US Senate called the Cybersecurity Act of 2012 (CSA) that just failed, but gives us an idea of how Congress is thinking about securing critical infrastructure operators, and a new federal contracting rule that’s closely related to parts of CSA in its goals and technical details. Both of these efforts focus on NIST’s Risk Managment Framework, and if you’re not already familiar with this process, now might be the time to get up to speed.

NIST’s cybersecurity standards

Almost 10 years ago, Congress passed a law requiring federal agencies to develop and follow computer security plans that conform to standards set by the National Institute of Standards and Technology (NIST). In turn, NIST implemented the Risk Management Framework (RMF), which is a set of interlocking security standards that includes processes and specific technical requirements. By law, federal agencies have to follow these standards, and the GAO regularly  calls  out organizations that aren’t doing enough.

Lately, the federal government has started to push rules and legislation that would bring NIST standards more forcefully into the private sector.

DoD contractors may get new security requirements

The first example is a proposed federal contract rule that would apply to many companies that do business with the DoD. This includes 76% of small businesses that work with the DoD. In its current draft form, the rule would mean that businesses need to apply complex and detailed NIST technical security requirements (called “controls”) to unclassified data kept on their own systems. A small business might be required to drastically modify their internal communications and collaboration systems since the controls state that they must apply the “Principle of Least Privilege,” meaning users can access only data they need to do their job. Another rule would require the use of FIPS certified cryptography to protect unclassified information. This is just a small sampling; other controls cover training, security auditing, configuration management, contingency planning, authentication, incident response, visitor controls, physical protections, and many others.

Risk management vs. legislating technical requirements

The NIST framework normally distinguishes between systems based on the potential negative impacts of a security incident and recommends different controls for different types of systems based on a risk assessment. My reading of the contracting rules as currently described is that they dictate specific technical controls without performing any risk assessment.

The upside of including a specific set of controls might be that small companies don’t have to perform a complex risk assessment to decide which controls to implement. The NIST risk management framework is designed for extremely large government agencies, and there is currently no guidance for applying it to small businesses.

There is a downside, though, to dictating specific controls without a risk assessment. Businesses might have to implement overly restrictive systems that aren’t justified by the risks. For instance, many of the proposed security controls would normally be applied only to systems where a security incident would cause a “serious” effect like significant financial loss or significant harm to individuals. A few of the controls, like the FIPS certification of cryptography, are usually recommended only for systems with potential “catastrophic” effects.

Will these new rules make it hard for small businesses to work with the federal government?

The goal of these rules is clearly to improve security for organizations that handle DoD data, but the compliance requirements for small federal contractors will likely be expensive (according to the proposal itself) and put them at a disadvantage in the commercial and government markets.

At the same time, DARPA programs like the Cyber Fast Track are seeking out non-traditional small businesses to create innovative security solutions, and it’s designed to work well for firms who have not previously done work with the federal government. It’s reasonable to expect that, if these rules are put into place, and if they are applied to such companies, it will make it harder for programs like Cyber Fast Track to bring in new talent.

The Cybersecurity Act of 2012

Another major effort by the federal government to bring better cybersecurity into the private sector was the Cybersecurity Act of 2012 (CSA). This is a bill just failed in the Senate, but it was strongly backed by President Obama in a Wall Street Journal op-ed. Even though the bill didn’t pass, it gives us some insight on the direction Congress would like to go. This law would have given NIST the power to set cybersecurity standards for operators of critical infrastructure like the electric grid.

The law would require risk assessments across all the critical infrastructure industries, establish performance requirements, and provide for civil penalties for failure to meet the requirements. The Cybersecurity Act would also establish standards for certified third-party assessors who can measure an organization’s security. If an organization complies with the security requirements or passes this type of assessment, they won’t be held liable if there is a damaging cyber attack. The law doesn’t seem to say that the NIST RMF would be used, but that NIST would set the standards and would use a risk assessment in doing so. It’s reasonable to guess that the standards would look a lot like the existing RMF.

Challenges in applying NIST’s framework

Taken together, the existing laws and potential new laws and regulations point to the major influence of the NIST Risk Management Framework over improving cybersecurity efforts, large and small. I’m a big fan of the framework, but there are significant gaps in it. For instance, it is pretty complex, and NIST should build a streamlined version for small businesses rather than giving contractors specific technical requirements without any risk assessments.

Furthermore, federal cybersecurity requirements might make it difficult for businesses (especially small businesses) to use cloud services, create new barriers to entry for innovative small cloud service providers, and give established large contractors a leg-up in secure cloud services in private industry. The rules that govern federal agencies are confusing enough that last year, Microsoft and Google engaged in a war of words about whether their products met federal standards and could be used for government services. This type of confusion might spread to private industry if these rules are adopted over the next few years, slowing the pace of cloud adoption.

Is the NIST Risk Management Framework poised to become a national cybersecurity standard?

There is no guarantee that these laws and regulations will pass, but changes are coming in cybersecurity, and it’s very likely that NIST’s approach will win the day since it’s so widespread in the federal government. If you think you might be affected by the new rules, you should familiarize yourself with the NIST process so you can plan for the new regulations, and potentially even effect them before they are put in place.