From: Nextgov
By Aliya Sternstein
The National Institute of Standards and Technology has rewritten federal cybersecurity standards for the first time in nearly a decade to address evolving smartphone vulnerabilities and foreign manipulation of the supply chain, among other new threats.
The 457-page government computer security bible, officially called “SP (Special Publication) 800-53,” was last revised in 2005. That was long before the rise of advanced persistent threats — infiltrations that play off human failings to linger in systems until finding sensitive data.
Agencies are not required to follow all the specifications, but rather choose among the protections that suit their operational environments, such as space in the case of NASA.
Congressional reports indicate that foreign adversaries have attempted to corrupt the supply chain at some point between agency system design and operation to disrupt or spy on the government. To protect critical computer parts, the compendium recommends sometimes withholding the ultimate purpose of a technology from contractors by “using blind or filtered buys.”
Agencies also should offer incentives to vendors that provide transparency into their processes and security practices, or vet the processes of subcontractors.
NIST broaches the controversial approach to “restrict purchases from specific suppliers or countries,” which U.S. technology firms, even those who have been hacked, say might slow installations.
The new guidelines also cover the challenges of web-based or cloud software, insider threats and privacy controls.
Leave a Reply