One cannot pick up a newspaper, watch TV, listen to the radio, or scan the news on the internet without some direct or veiled reference to the lack of information security or intrusions into personal privacy. Many intrusions into government and private-sector systems have exposed sensitive mission, business and personal information. Every day it seems that more and more systems are breached and more and more personal information is made available either on the web or, worse, the dark web.
Given this backdrop, it is often easy to get lost in the details of cybersecurity and privacy and the seemingly endless discussions about cyber-attacks, system breaches, frameworks, requirements, controls, assessments, continuous monitoring and risk management and forget why security and personal privacy matter in an increasingly digital world.
We are witnessing and taking part in the greatest information technology revolution in the history of mankind as our society undergoes the transition from a largely paper-based world to a fully digital world. As part of that transformation, we continue to push computers closer to the edge. The “edge” today is the burgeoning and already vast world of the “internet of things,” or IoT.
This new world consists of an incredibly diverse set of familiar everyday technologies, including dishwashers, refrigerators, cameras, DVRs, medical devices, satellites, automobiles, televisions, traffic lights, drones, baby monitors, building fire/security systems, smartphones and tablets. It also includes technologies that are perhaps less familiar to the average person but absolutely vital to maintaining and safeguarding the familiar world in which they live: advanced military weapons systems; industrial and process control systems that support power plants and the nationwide electric grid, manufacturing plants and water distribution plants; emergency response systems; banking and financial systems; and transportation systems—in short, our most critical infrastructure.
Yes, we have fully embraced this emerging technology and pushed computers, software and devices everywhere to the edge of this new world. And as those technologies, both familiar and critical, become increasingly integrated with IoT, so does information, all kinds of information, including intellectual property and your personal information.
It goes without saying that innovations in information technology and IoT will continue to make us more productive, help us solve difficult and challenging problems, entertain us, allow us to communicate with virtually anyone in the world instantaneously, and provide all kinds of additional, and previously unimaginable, benefits. For instance, who wouldn’t want an app that tells you the optimal time to go to the restroom during the movie you’re about to see at your local theater? These new technologies are not only compelling, but also intoxicating and addicting—leaving us with a huge blind spot that puts us at great risk of losing our property, our privacy, our security and, in some cases, our lives.
We have built an incredibly complex information technology infrastructure consisting of millions of billions of lines of code, hardware platforms with integrated circuits on computer chips, and millions of applications on every type of computing platform from smart watches to mainframes. And right in the middle of all that complexity, your information is being routinely processed, stored and transmitted through global networks of connected systems. From a security and privacy perspective, we are not only concerned about the confidentiality, integrity and availability of the data contained in the systems embedded deep in the nation’s critical infrastructure, but also of our personal information.
Recognizing the importance of both security and privacy safeguards for systems, organizations and individuals, NIST recently initiated several groundbreaking projects to bring these concepts closer together—to facilitate the development of stronger, more robust security and privacy programs and provide a unified approach for protecting all types of information, including personal information. The first installment in this new approach occurred with the release of NIST Special Publication 800-53, Revision 5, which provided, for the first time in the standards community, a consolidated catalog of security and privacy controls—standing side by side with the broad-based safeguards needed to protect systems and personal privacy.
Today, NIST is announcing the second installment of the unified approach to privacy and security by releasing a discussion draft of NIST Special Publication 800-37, Revision 2. This publication responds to the President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure and the Office of Management and Budget’s Memorandum M-17-25 (implementation guidance for the Executive Order) to develop the next-generation Risk Management Framework (RMF 2.0) for systems, organizations and individuals. RMF 2.0 provides a disciplined, structured and repeatable process for organizations to select, implement, assess and continuously monitor security and privacy controls.
NIST Special Publication 800-37, Revision 2, empowers customers to take charge of their protection needs and provide security and privacy solutions to support organizational missions and business objectives. It includes a new organizational preparation step, instituted to achieve more timely, effective, efficient and cost-effective risk management processes.
The organizational preparation step incorporates concepts from the Cybersecurity Framework to facilitate better communication between senior leaders and executives at the enterprise and mission/business process levels and system owners—conveying acceptable limits regarding the implementation of security and privacy controls within the established organizational risk tolerance. The enterprise-wide preparation also facilitates the identification of common controls and the development of organization-wide tailored security and privacy control baselines. This significantly reduces the workload on individual system owners, provides more customized security and privacy solutions, and lowers the overall cost of system development and protection.
And finally, RMF 2.0 helps organizations reduce the complexity of their IT infrastructure by consolidating, standardizing and optimizing systems, applications and services through the application of enterprise architecture concepts and models. Such complexity reduction is critical to identifying, prioritizing and focusing organizational resources on high-value assets that require increased levels of protection—taking steps commensurate with risk such as moving assets to cloud-based systems or shared services, systems and applications.
The transformation to consolidated security and privacy guidelines will help organizations strengthen their foundational security and privacy programs, achieve greater efficiencies in control implementation, promote greater collaboration of security and privacy professionals, and provide an appropriate level of security and privacy protection for systems and individuals.
Ron Ross is a computer scientist and Fellow at the National Institute of Standards and Technology. He specializes in cybersecurity, risk management, and systems security engineering.