NIST revises US federal cyber security standards

The US National Institute of Standards and Technology has revised federal cyber security standards to address threats since 2005

The US National Institute of Standards and Technology (NIST) has revised federal cyber security standards to address threats that have emerged since the last revision in 2005.

The 457-page standards document now includes guidelines on addressing smartphone security vulnerabilities, advanced persistent threats (APTs), social engineering, and foreign manipulation of supply chains, according to US reports.

To improve supply chain integrity and protect critical computer parts, the revised standards recommend withholding the ultimate purpose of a technology from contractors.

The new guidelines recommend that government agencies should offer incentives to suppliers that provide transparency into their processes and security practices, or vet the processes of subcontractors.

The new guidelines also cover the challenges of web-based or cloud software, insider threats, privacy controls, and bring your own device (BYOD) policies.

On BYOD, recommended restrictions include using cloud techniques to limit processing and storage activities on actual government systems.

NIST advises government agencies consult the Office of the General Counsel regarding legal uncertainties, such as requirements for conducting forensic analyses during incident investigations.

The latest research from the Information Security Forum (ISF) shows that there are four main areas where organisations should focus their efforts: governance; users; devices; and apps and data.

Governance should determine the strategy and approach the organisation adopts, such as whether to allow any device to connect or to provide users with a corporate device.

“Based on that decision, the information security approach and controls required should be specified,” said Adrian Davis, principal research analyst at the ISF.

Organisations are increasingly treating the device as untrusted. 

“There is an increasing realisation that you cannot secure the device and so efforts must be focused on protecting the data,” he said.

The increasing processing power of devices actually can help security, as the devices can run anti-malware or encryption software such as that used on PC, said Davis.

While mobile device management (MDM) is a tool that can assist in security, he said successful deployments need to be integrated with the governance approach and coupled to user awareness and training.

Read more on Hackers and cybercrime prevention