With the growing threat presented to information centric businesses by tech mobility and the cloud, NIST finally updated the federal guidelines on cyber security. NIST, or the National Institute of Standards and Technology, released their first draft February 28th, three years since the last update in 2009.
|NIST Releases Updates to Security Guidelines|
Among the changes are a cloud first policy, making cloud technology a priority for IT projects. In addition, the policy acknowledges a bring your own device policy, allowing employees to use the mobile device of their choosing at work. Ron Ross, FISMA Implementation Project Leader stated,
“The changes we propose in Revision 4 are directly linked to the current state of the threat space–the capabilities, intentions and targeting activities of adversaries–and analysis of attack data over time.”
In addition, the revision includes a modification to their guidance on security assurance, Appendix E. The appendix explains how organizations can “establish measures of confidence that the security controls put in place are providing the necessary security capability to protect critical missions and business operations”.
In the end, I think Ross sums it up best, “Having security functionality in your information systems without the appropriate assurance is like skydiving without a backup parachute–you don’t need it until you need it. And without it, the outcome is very predictable.” You can see the full revisions here.