One of the challenges with cyber security is maintaining compliance with the many (and ever changing) industry regulations. And, for government agencies and government contracts and subcontractors, those regulations are even more stringent. Take for instance NIST Compliance. Established as an industry standard for cyber security and data protection for government agencies, these standards, while not mandatory for many private sector companies, can help businesses of all sizes implement best practices.
What Is NIST?
NIST stands for the National Institutes of Standards and Technology, a branch of the U.S. Department of Commerce founded in 1901. A non-regulatory government agency, NIST’s stated mission is “to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology, in ways that enhance economic security and improve our quality of life.” These standards, regarded as industry best practices, were developed to improve the security of government agencies and contracts who handle government data.
The NIST Cyber Security Framework (CSF), the industry guidelines the organization is best known for, was established in 2014 to standardize cybersecurity practices, so companies could use a singular, uniform approach to threat detection, data protection, cyber risk, and other types of digital attacks.
Is NIST Mandatory?
For the average company, NIST is not a mandatory requirement.
Government organizations, and government contractors and subcontractors—such as those working with the DoD, GSA, and NASA, for example—must be NIST compliant as per a 2017 ruling put forth.
However, NIST is not a regulatory agency and, therefore, cannot penalize private sector clients for being non-compliant. But much like wearing a seatbelt or looking both ways before you cross the street, following NIST best practices is highly recommended. Additionally, since the rigor of these standards is so high, meeting NIST compliance will also help your company meet other government compliance regulations, such as the Health Insurance Portability and Accountability Act (HIPPA) and the Federal Information Security Management Act (FISMA).
What Is the NIST Cyber Security Framework?
The NIST CSF provides a framework consisting of three main components: Implementation Tiers, Framework Core, and Profiles.
One of the beauties of the NIST CSF is that, since it is not mandatory, it is malleable, and able to be utilized by organizations of different sizes and specialties. For instance, a large company may already have security measures that will overlap with those required by NIST, or a small company may have fewer channels for data breaches and therefore only needs the relevant NIST compliance standards that fit their organizational scope.
In its most basic form, NIST is a series of best practices and guidelines to assist companies so they can protect their data in the best way possible. The NIST Framework Core, the various cybersecurity activities, references, and outcomes that are found across critical infrastructure sectors, provides a high-level and strategic view of the life cycle of cybersecurity risks.
The Framework Core is broken down further into five main functions: Identify (build awareness around the need to manage potential cybersecurity risks), protect (put in place security measures to ensure your systems and data are protected), detect (have a strategy in place with procedures and tools for cyber threat detection), respond (have an incident response plan in place to quickly head off threats and limit damage), and recover (to ensure that your data is protected and recoverable in the event of a cyber-attack or disaster).
What’s Next For NIST?
Recently, the Federal Trade Commission has instituted new Standards For Safeguarding Consumer Information, known as the Safeguards Rule for short, that are designed to ensure companies covered by the Rule have safeguards in place to protect the security of their customer information.
The new Safeguard Rule applies to financial institutions are that subject to the FTC’s jurisdiction and requires those institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. The Rule defines customer information as “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.”
To be compliant, a firm must have an information security program that is appropriate to the size and complexity of the company, and the scope, nature, and activities of the business. The objectives of the company must be to ensure the security and confidentiality of customer information, to protect against anticipated threats to the security or integrity of that information, and to protect against any unauthorized access to that information that could result in harm or inconvenience to the customer.
Should I Be NIST Compliant?
As we have discussed, NIST compliance, unlike some other cyber security compliance regulations, is non-enforceable, and therefore you are not legally required to comply with the standards. However, given the adaptability of the standards, the stringent levels of protection they help provide, and the regulatory benefits of striving toward NIST compliance, is it highly recommended that your company takes these standards into consideration when developing a cyber security protection system.