New National Institute of Standards and Technology guidance will help organizations perform a step-by-step analysis to identify the critical parts of a system that must not fail if it is to successfully support the organization’s mission, according to a release from NIST.
Defense Department components and agencies operate on a tight budget. But legacy software no longer support by the manufacturer must be replaced, the supply chain to replace hardware and cellphones is suspect and spare parts are hard to find. Where do organizations invest their limited resources?
This problem confronts nearly every organization that depends on information or operational technology for its mission and critical business systems. How to keep infrastructure up to date without either jeopardizing mission or breaking the budget?
NIST has released new draft guidance to help organizations navigate the challenges. It is requesting public comments by August 18, 2017 on guidance, which will help organizations perform a step-by-step analysis to identify those critical parts of a system that must not fail or be compromised if the system is to successfully support the organization’s mission.
The document, NIST Interagency Report (NISTIR) 8179, Criticality Analysis Process Model, builds on previous NIST guidance such as Special Publication (SP) 800-53 Rev. 4, SP 800-160, and SP 800-161, which emphasized the importance of identifying the critical points in a system, but did not provide a method for doing so.
The draft report, co-authored by NIST cybersecurity expert Jon Boyens and colleague Celia Paulsen, will have repercussions beyond federal agencies because of the many private contractors that do business with the government, including military contractors whose products will be used by troops in the field.
“I think guidance like this will help secure the supply chain,” said John Peterson, senior program manager at the Redhorse Corporation in San Diego. “A lot of these systems are integrated, so if you have one part that’s compromised in some way, it could affect the entire system.”
These risks could be higher due to unpredictable budgets, which can vary substantially in the federal government depending on budget priorities. How can an organization maintain systems when it cannot always afford to buy the latest and greatest tools, but at times must make do with legacy technology?
“The legacy problem is notorious throughout industry," said Carol Woody, technical manager for cybersecurity engineering at the Software Engineering Institute in Pittsburgh. "All organizations are trying to keep technology costs down. It's hard to do because they have to make choices that may not always anticipate problems 10 years down the road. What the NIST authors are doing is saying, think broadly. Ask yourself why you bought something and how long it will be before it could conceivably need more capability—plan for its usable life and budget accordingly."
These ideas have already been used in many industries, but they were not always applied as strictly as they should be for information security.
“We looked at many processes and realized that people tend to view risk according to what they know best—their own goals and experiences,” Paulsen said. “Existing procedures don't always emphasize considering different—often competing—priorities or how a single component can impact various parts of an organization. With limited resources it is impossible to solve every problem, but our report will help you see the whole landscape more clearly. It will help you communicate with different parts of the organization, outside stakeholders, and supply chain partners about what’s important.”
Criticality analysis is not only essential to determining high-value assets. It also alters the traditional risk assessment focus on likelihood: from what adversaries are likely to do, to what they are capable of doing. The approach also eliminates debate over “return on investment” in favor of engineering systems that are resilient, according to the NIST release.
Guidance of the sort the report offers is necessary, said Boyens, because of the nature of the supply chain—the innumerable manufacturers whose individual wares end up combined into a system, which then becomes part of an agency’s larger infrastructure. Creating these larger “systems of systems” can create challenges when problems like those aging cellphones crop up.
“If they were using criticality analysis, they might have bought a 10-year supply of the crucial parts in advance, or would know that they'd need to do more testing of the aftermarket product,” Boyens said. “Without a proper analysis, they might not realize these vulnerable spots in the first place.”
The Software Engineering Institute's Woody added that this sort of analytical clarity combined with long-term thinking was needed in acquisition departments, which are often more knowledgeable about managing costs and schedules than the intricacies of how software is built.
“It’s that proactive thinking that’s hard to get into the supply chain,” she said. “The technology will still be there, and the attackers won’t take it easy just because we don’t have funds for an upgrade.”