"Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President under the Executive Order “Improving Critical Infrastructure Cybersecurity” has directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. The Framework will consist of standards, guidelines, and best practices to promote the protection of information and information systems supporting critical infrastructure operations. The prioritized, flexible, repeatable, and cost-effective approach of the framework will help owners and operators of critical infrastructure to manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties."
Requests for Comment
Comments due April 8, 2013
The National Institute of Standards and Technology (NIST) is conducting a comprehensive review to develop a framework to reduce cyber risks to critical infrastructure1 (the “Cybersecurity Framework” or “Framework”). The Framework will consist of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.
1For the purposes of this RFI the term “critical infrastructure” has the meaning given the term in 42 U.S.C. 5195c(e), “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
This RFI requests information to help identify, refine, and guide the many interrelated considerations, challenges, and efforts needed to develop the Framework. In developing the Cybersecurity Framework, NIST will consult with the Secretary of Homeland Security, the National Security Agency, Sector-Specific Agencies and other interested agencies including the Office of Management and Budget, owners and operators of critical infrastructure, and other stakeholders including other relevant agencies, independent regulatory agencies, State, local, territorial and tribal governments. The Framework will be developed through an open public review and comment process that will include workshops and other opportunities to provide input.
NIST Notice of Inquiry : Models for a Governance Structure for the National Strategy for Trusted Identities in Cyberspace NSTIC
Comments Due on or before July 22, 2011
SUMMARY: The Department of Commerce (Department) is conducting a comprehensive review of governance models for a governance body to administer the processes for policy and standards adoption for the Identity Ecosystem Framework in accordance with the National Strategy for Trusted Identities in Cyberspace (NSTIC or "Strategy"). The Strategy refers to this governance body as the "steering group." The Department seeks public comment from all stakeholders, including the commercial, academic and civil society sectors, and consumer and privacy advocates on potential models, in the form of recommendations and key assumptions in the formation and structure of the steering group. The Department seeks to learn and understand approaches for: 1) the structure and functions of a persistent and sustainable private sector-led steering group and 2) the initial establishment of the steering group. This Notice specifically seeks comment on the structures and processes for Identity Ecosystem governance. This Notice does not solicit comments or advice on the policies that will be chosen by the steering group or specific issues such as accreditation or trustmark schemes, which will be considered by the steering group at a later date. Responses to this Notice will serve only as input for a Departmental report of government recommendations for establishing the NSTIC steering group.
. . . . .
Written comments may be submitted by mail to the National Institute of Standards and Technology, c/o Annie Sokol, 100 Bureau Drive, Mailstop 8930, Gaithersburg, MD 20899. Electronic comments may be sent to NSTICnoi@nist.gov . . . . .
Draft Special Publication 800-82, Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security
NIST announces the release of draft SP 800-82, Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security. SP 800-82 provides guidance for establishing secure industrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other smaller control system configurations such as skid-mounted Programmable Logic Controllers (PLC). ICSs are typically used in industries such as electric, water, oil and gas, transportation, chemical, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (automotive, aerospace, and durable goods). The document provides an overview of ICSs and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks. NIST requests comments on SP 800-82 by December 22, 2006. Please submit comments to firstname.lastname@example.org with "Comments SP800-82" in the subject line.
Federal Information Security Management Act (FISMA)
Derived From: NIST Federal Information Security Management Act Implementation Project: Background
"The E-Government Act (Public Law 107-347) passed by the 107th Congress and signed into law by the President in December 2002 recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA) requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
"An effective information security program should include:
- Periodic assessments of risk, including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization
- Policies and procedures that are based on risk assessments, cost-effectively reduce information security risks to an acceptable level, and ensure that information security is addressed throughout the life cycle of each organizational information system
- Subordinate plans for providing adequate information security for networks, facilities, information systems, or groups of information systems, as appropriate
- Security awareness training to inform personnel (including contractors [See Cloud] and other users of information systems that support the operations and assets of the organization) of the information security risks associated with their activities and their responsibilities in complying with organizational policies and procedures designed to reduce these risks
- Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls to be performed with a frequency depending on risk, but no less than annually
- A process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the organization
- Procedures for detecting, reporting, and responding to security incidents
- Plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the organization.
"FISMA, along with the Paperwork Reduction Act of 1995 and the Information Technology Management Reform Act of 1996 (Clinger-Cohen Act), explicitly emphasizes a risk-based policy for cost-effective security. In support of and reinforcing this legislation, the Office of Management and Budget (OMB) through Circular A-130, Appendix III , Security of Federal Automated Information Resources, requires executive agencies within the federal government to:
- Plan for security
- Ensure that appropriate officials are assigned security responsibility
- Periodically review the security controls in their information systems
- Authorize system processing prior to operations and, periodically, thereafter
"These management responsibilities presume that responsible agency officials understand the risks and other factors that could adversely affect their missions. Moreover, these officials must understand the current status of their security programs and the security controls planned or in place to protect their information and information systems in order to make informed judgments and investments that appropriately mitigate risk to an acceptable level. The ultimate objective is to conduct the day-to-day operations of the agency and to accomplish the agency's stated missions with adequate security , or security commensurate with risk, including the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information. As a key element of the FISMA Implementation Project, NIST also developed an integrated Risk Management Framework which effectively brings together all of the FISMA-related security standards and guidance to promote the development of comprehensive and balanced information security programs by agencies.
National Initiative for Cybersecurity Education
"The National Initiative for Cybersecurity Education (NICE) has evolved from the Comprehensive National Cybersecurity Initiative, and extends its scope beyond the federal workplace to include civilians and students in kindergarten through post-graduate school. The goal of NICE is to establish an operational, sustainable and continually improving cybersecurity education program for the nation to use sound cyber practices that will enhance the nation's security.
The National Institute of Standards and Technology (NIST) is leading the NICE initiative to ensure coordination, cooperation, focus, public engagement, technology transfer and sustainability. Many NICE activities are already underway and NIST will highlight these activities, engage various stakeholder groups and create forums for sharing information and leveraging best practices. NIST will also be looking for "gaps" in the initiative -- areas of the overarching mission that are not addressed by ongoing activities."
- United States Department of Commerce, National Institute of Standards and Technology, NIST Special Publication 800-39, Final public Draft - Integrated Enterprise-Wide Risk Management - Organization, Mission, and Information System View , March 2011,
- United States Department of Commerce, National Institute of Standards and Technology, NIST Special Publication 800-37, Revision 1 - Guide for Applying the Risk Management Framework to Federal Information Systems - A Security Life Cycle Approach , February 2010
- RFC NIST NICE Cybersecurity Workforce Framework Comments Due 12/16/2011
- United States Department of Commerce, National Institute of Standards and Technology, NIST Special Publication 800-53, Revision 3 - Recommended Security Controls for Federal Information Systems and Organizations , May 2010
- United States Department of Commerce, National Institute of Standards and Technology, Standards for Security Categorization of Federal Information and Information Systems, FIPS Pub 199 , February 2004,
- United States Department of Commerce, National Institute of Standards and Technology, Minimum Security Requirements for Federal Information and Information Systems, FIPS Pub 200 , March 2006
- United States Department of Commerce, National Institute of Standards and Technology, NIST Special Publication 800-53A, Revision 1 - Guide for Assessing the Security Controls in Federal Information Systems and Organizations , June 2010
- United States Department of Commerce, National Institute of Standards and Technology, NIST Special Publication 800-144, Draft - Guidelines on Security and Privacy in Public Cloud Computing, January 2011
- The National Technology Transfer and Advancement Act of 1995