When it comes to technology and science, the U.S. Government has a variety of bodies and agencies that help support innovation and promote industry-wide standards. One of the most important (and under appreciated) of these organizations is NIST.
Officially, NIST functions as a network of laboratories that cover a broad umbrella of technologies, from meteorology to nanotechnology and cybersecurity. As a non-regulatory agency under the U.S. Department of Commerce, the NIST mission is to promote innovation and competitiveness of U.S. industries. Today, one of NISTs core missions is to implement practical cybersecurity and privacy standards. Keep reading to learn more about NIST compliance and how a data protection provider can help.
But what does NIST stand for, and how did it go from being an agency dedicated to weights and measurements in the 1700s, to one of the most important technology agencies in the U.S.? And how does NIST achieve its cybersecurity objectives through outreach and effective application of standards and best practices?
History and Origins
NIST is short for the U.S. National Institute of Standards and Technology. The very beginnings of NIST trace back to 1901, when what was then called the National Bureau of Standards was established with the mandate of providing standard weights and measures for the country. It was also to serve as the national physical public laboratory for the entire United States. NISTs first official director, Samuel W. Stratton, was appointed by then president Theodore Roosevelt and allotted a first-year operational budget of $40,000. With that, Stratton began by taking custody of the official kilogram and meter bars that set the official standard for U.S. measures. He then set up a program that provided meteorology services for commercial, scientific, and governmental users across the U.S.
The next phase was the construction of a physical laboratory site in Washington DC, with instruments being procured from various national laboratories in Europe. With this new equipment, NIST was then able to develop techniques for measuring things like electrical units and brightness of light, which they would later also develop national standards for. One of the most notable NIST achievements during this time was the first ever use of neon lighting during the 1904 Worlds Fair in St. Louis by scientist Perly G. Nutting. Fast forward to the Herbert Hoover administration in the 1920s, when then President Hoover directed the bureau to set up further divisions to develop more widespread standards for various commercial products and materials.
Assess your NIST 800-171 Compliance
This included products intended for both government and private sector use, with standards covering things like automobile parts, electrical equipment, and textile materials. Then, during World War I, the bureau turned its attention to issues affecting the production of war-related materials. NIST even operated its own optical glass production facility during a period of time where the European supply line was cut off. It was this wartime period that sparked a variety of innovation at NIST, and shortly thereafter bureau researcher Harry Diamond even developed a radio aircraft system for blind approach landings. World War II spurred even further innovation, with inventions in the areas of radio broadcasting, aircraft frames, and electrical fuzes.
After the war, NIST scientists provided another breakthrough by creating the first ever atomic clock based on microwave emissions, a technology which future time standards would be based upon. As technology in the U.S. (and the globe) advanced at a rapid pace in the post-war era through the 60s and 70s, so did NISTs mission and activities. The technology that is used to preserve historical documents like the Constitution was developed, along with the first 360-degree dental X-ray machine. NIST even headed up the famed experiment along with the Washington Senators proving, in fact, that curveballs really do curve. Now located in Gaithersburg, Maryland, NIST has since developed standards for just about everything, from smoke detectors to DNA profiling.
NIST Fact – In 1970, NIST scientist Joan Rosenblatt formulated the first ever statistical methodology for a truly unbiased, random military draft.
Labs & Programs
Today, NIST operates in a variety of sectors, technologies, and areas of science that conducts a wide array of research. These laboratories work in tandem with various programs that are connected with both private and public sector entities, with the goal of developing regulatory standards and enhancing innovation. Here are a few of the most notable labs that NIST currently operates –
- Physical Measurements Lab (PML) – Focuses on the science of measurement and sets the definitive U.S. standards for nearly every kind of measurement employed in commerce and research. Provide NIST-traceable calibrations, and disseminates standards and best risk management practices throughout the nation.
- Material Measurement Laboratory (MML) – Serves as the national reference laboratory for measurements in the chemical, biological and material sciences. Activities range from fundamental and applied research, to the development and dissemination of certified reference materials, critically evaluated data, and other tools to assure the quality of measurement.
- Information Technology Laboratory (ITL) – Develops and disseminates standards, measurements, and testing for interoperability, security, usability, and reliability of information systems. This includes cybersecurity standards and guidelines for Federal agencies and U.S. industry, supporting these and measurement science at NIST through fundamental and applied research in computer science, mathematics and statistics.
- Communications Technology Laboratory (CTL) – Promotes the development and deployment of advanced communications technologies through research and development on metrology, physical phenomena, materials capabilities, and complex systems relevant to advanced communications. Researches areas like high-speed electronics, wireless systems metrology, antennas, and public safety communications.
- Engineering Laboratory – Promotes U.S. innovation and industrial competitiveness in areas critical areas of engineering. Anticipates and meets measurement science and standards needs for technology-intensive manufacturing and construction. This includes cyber-physical, Internet-of-Things (IoT), and Smart Grid technologies.
In general, all NIST labs are designed and operated with the main goal of enhancing U.S. technology capabilities, and overall economic prosperity. Towards the same end, here are some of the major NIST programs that work in conjunction with said laboratories:
- Office of Advanced Manufacturing (OAM) – Staffed by representatives from federal agencies with manufacturing-related missions, as well as fellows from manufacturing companies and universities. Operates in partnership with the Department of Defense, the Department of Energy, NASA, the National Science Foundation, the Department of Education and the Department of Agriculture.
- Manufacturing Extension Partnership (MEP) – Works with small and mid-sized U.S. manufacturers to help create (and retain) jobs, increase profits, and enhance overall efficiency. The MEP helps these manufacturers incorporate NIST-developed technologies, as well as with strategies on how to develop their own internally.
- Special Programs Office – Fosters communication and collaboration between NIST and external communities focused on critical national needs, including forensics, the Greenhouse Gas Measurements Program, and the National Security Standards Program..
- Technology Programs Office (TPO) – Builds and sustains technology partnering activities between NIST laboratories and U.S. industries, and public entities at the federal, state, and local levels. Promote U.S. innovation and industrial competitiveness across the Federal government in conjunction with the Department of Commerce.
NIST Fact – NIST labs are currently working on a 5G & Beyond initiative to help build the infrastructure for the next wave of high-speed broadband and internet service.
The NIST Cybersecurity Framework
But what is NIST exactly as it relates to cybersecurity? And how does NIST work with entities like the U.S. Commerce Department of Commerce, the Department of Defense (DoD), and private sector entities and contractors? On a high level, the NIST cybersecurity mission statement is as follows –
NIST implements practical cybersecurity and privacy through outreach and effective application of standards and best practices necessary for the U.S. to adopt cybersecurity capabilities.
At the core of this mission is the NIST Framework for Cybersecurity Infrastructure, which lays out guidance and standards for how both public and private organizations should secure their critical data. More specifically, this framework is a risk-based approach to managing cybersecurity, and is composed of three parts: the Framework Core, Framework Implementation Tiers, and Framework Profiles. Each Framework component reinforces the connection between business or mission drivers, and cybersecurity activities:
- Framework Core – A set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level.
- Framework Implementation Tiers – Provides context on how organizations view cyber risks and the processes in place to manage that risk. Tiers describe the degree to which an organizations cybersecurity risk management practices exhibit the characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and adaptive).
- Framework Profile – Represents the outcomes based on business needs that an organization has selected from the framework categories and subcategories. The Profile can be characterized as the alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a Current Profile (the as is state) with a Target Profile (the to be state).
This framework is also intended to aid organizations comply with Federal Information Security Modernization Act (FISMA) of 2014. FISMA was designed to codify the Department of Homeland Security’s (DHS) role in administering the implementation of information cyber security policies as it relates government agencies and outside organizations they work with. FISMA grants the DHS authority the authority to oversee and coordinate cybersecurity activities between government entities and any third-party vendors or contractors to ensure NIST standards are fully met.
NIST Fact – The NIST framework covers cybersecurity related to the following technologies: information technology (IT) system, industrial control systems (ICS), cyber-physical systems (CPS), connected devices, and the Internet of Things (IoT).
NIST Contractor Compliance
One of the most critical areas that NIST cybersecurity standards cover is that of companies, vendors, or organizations that contract with the Department of Defense (DoD). These contractors often deal with the most sensitive of data and information, and cyber protections must meet standards as outlined by NIST 800-171.
Any DoD contractors that collect, store, or transmit whats defined as Covered Defense
Information (CDI) or Controlled Unclassified Information (CUI) are required to comply with NIST 800-171, effective December 31, 2017. Examples of what CDI and CUI most often include:
|
|
Contractors or vendors that work with the DoD often work with consultants or advisors to determine what kinds of CDI or CUI they handle, and what they need to do to make sure theyre in compliance. This process is normally broken down into four separate parts of the assessment:
1) Gap Analysis – First, youll need to assess your current compliance status, scope of CUI exposure, and potential liability. Youll analyze your current security setup, as well as policies and procedures for safeguarding CUI. A detailed roadmap on recommended measures for NIST 800-171 compliance will also be developed.
2) Infrastructure Assessment – Here youll review your organizations existing IT critical infrastructure and identify opportunities for improvement which will allow for more informed and strategic business decisions to take place.
3) Vulnerability Assessment – This analysis identifies, quantifies and prioritizes all potential hazards that might affect systems that contain CDI or CUI.
4) Penetration Testing – Here you’ll simulate real-world cyber attacks to assess your external applications, network, and mobile applications vulnerabilities. You’ll also run independent, automated cyber security scans encompassing the Open Web Application Security Project (OWASP) top ten vulnerabilities. Network level penetration tests reveal system vulnerabilities that can be easily exploited by real world attackers
NIST Fact – Depending on the type of data received from the federal government, CUI could include data received as part of a research grant or data received to conduct business (e.g., student financial aid information).
Closing Thoughts
As you can see, the U.S. National Institute of Standards and Technology has come a long way since the days of Teddy Roosevelt. NIST is now one of the most important science and technology oriented agencies, and has become even more so in todays digitally connected world. NIST standards like NIST 800-171 are now a critical part in keeping sensitive information out of the wrong hands, and any business, contractor or organization should proactively work with an experienced partner like RSI Security to make sure they’re in compliance.