NIST Requests Comments on Draft Guidance for Cyber Challenges

Published: September 30, 2015

DOCCritical Infrastructure ProtectionCybersecurityDigital Government

At the end of July 2015, NIST and the NIST Computer Security Division announced a new technical publication series in the Special Publications (SP). The new series is called: SP 1800-series. The SP1800 subseries, “NIST Cybersecurity Practice Guides,” complements NIST’s 800 subseries of computer security publications.

Over the last two months, NIST and the National Cybersecurity Center of Excellence (NCCoE) have released several draft documents in the SP 1800-series for comment. These practice guides include:

SP 1800-1  Securing Electronic Health Records on Mobile Devices (Draft)

Comment deadline: October 23, 2015

Last year, Deltek's Federal Industry Analysis team forecasted spending in the federal health IT market to increase from $4.3 billion in 2014 to $4.8 billion in 2019 at a compound annual growth rate (CAGR) of 2.2% during the forecast period. Analysis of trends driving this growth includes a rise in the use of mobile devices to deliver and support healthcare. This growth in mobile computing environments and devices to access, store, and transmit health records and medical data is outpacing the privacy and security solutions in place.

This first draft in the NIST Cybersecurity Practice Guides series, released at the end of July 2015, outlines steps that security engineers and IT professionals can follow to implement commercially available tools and open source technologies to facilitate more securely sharing electronic health records. The five volumes of the draft guidance include: an executive summary; a document on approach, architecture, and security characteristics; “How To” guides; standards and control mapping; as well as risk assessment and outcomes.

SP 1800-2  Identity and Access Management for Electric Utilities (Draft)

Comment deadline: October 23, 2015

Mounting concerns around critical infrastructure protection have fueled collaborative efforts to implement technology upgrades and safeguards. For example, power companies are adopting newer devices and systems to support the electric grid. As these new technologies are introduced, however, so are new risks – like relying on decentralized systems for access management. According to the NCCoE, the guide “demonstrates a centralized [identity and access management] platform that can provide a comprehensive view of all users within the enterprise across all silos, and the access rights users have been granted, using multiple commercially available products.” The three volumes (as well as supplemental files) of the draft include: an executive summary; a document on approach, architecture, and security characteristics; and “How To” guides.

SP 1800-3  Attribute Based Access Control (Draft)

Comment deadline: December 4, 2015

Role based access control, relying on job titles or defined roles to govern access to networks and systems, has become fairly common. This approach requires manual oversight to adjust to organizational changes, making this method of user access less efficient as the demand for flexibility increases. Anticipating a shift away from role based controls in favor of attribute based one, the NCCoE reference design outlines a solution using commercially available technologies to support the advancement of identity management platforms. Attribute based access control leverages user attributes - certifications, IP address, group, or employee status - to determine access rights for networks and asset. As a result, the approach provides greater efficiency, flexibility, and scalability. This most recent addition to the practice guide series was released at the end of September 2015. The three volumes associated with the draft include: an executive summary; a document on approach, architecture, and security characteristics; and “How To” guides.

The new 1800 series will target specific cybersecurity challenges in the public and private sectors. The example solutions offered in the guides may help to close gaps around implementing security standards and guidance, which has been an ongoing issue for agencies adopting new technologies. NIST will also continue to issue publications as part of the SP 800-series.