Government Agencies Get Their Cybersecurity Marching Orders

After months of delays, the Trump administration has issued its first executive order on cybersecurity, signaling the direction that the federal government’s new strategy will take. The order addresses three broad topics: the security of federal networks, protections for critical infrastructure, and cybersecurity for the general public. Among its calls to replace outdated technology and to create a more capable cybersecurity workforce, the order contains one directive that will make an immediate difference in how the government manages its cybersecurity programs.

”Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency's cybersecurity risk.”

With that sentence, the president gave new importance to NIST Cybersecurity Framework, which until now has not been enforced as a requirement on a wide scale. While the Framework itself will remain a guide rather than a law-- meaning that other organizations can choose whether or not to adopt it—federal agencies are now on the hook to bring their cybersecurity programs in line with the Framework’s recommended approach.

Federal agency heads have 90 days to prepare cybersecurity risk management reports and deliver them to the Secretary of Homeland Security and the Director of the Office of Management and Budget. The reports will detail each agency’s current cybersecurity practices and its plan to implement the NIST Framework. The heads of Homeland Security and OMB will then review these reports and, within 60 days, develop a plan to implement and fund a government-wide cybersecurity program in alignment with the Framework.

Given the short timeframe for planning and the new importance of the NIST Cybersecurity Framework, federal agencies that have not yet begun to adopt the Framework will need to move quickly in order to become familiar with its recommendations and put their current programs in context. Private-sector businesses that do business with federal agencies will also need to prepare for changes in how the government handles its networks, infrastructure, and data.

What is the NIST Framework, anyway?

The NIST Cybersecurity Framework is a relatively new document that owes its existence to another executive order. In 2013, President Obama issued an order calling for better cybersecurity protections for critical infrastructure, and directing the NIST to develop a set of voluntary guidelines based on input from individuals and organizations around the world. The resulting document—the Framework—was released a year later and quickly became the most widely-adopted set of standards for organizational cybersecurity.

The Framework contains three types of reference material:

  • Core: A high-level list of common cybersecurity activities, grouped by function (Identify, Protect, Detect, Respond, and Recover). Each function is broken down into categories and subcategories that describe the purpose of each activity, along with references to other documents that provide more detailed guidance.
  • Implementation Tiers: A description of the various degrees of sophistication and rigor that can be used in implementing cybersecurity programs. The Framework lists four tiers ranging from “Partial” (the lowest level of sophistication), to “Adaptive” (in which an organization has a company-wide cybersecurity program that is continually evaluated and improved).
  • Profiles: Templates that can be used to define an organization’s unique risks, activities, and resources. The Framework recommends that organizations create profiles to reflect their current-state and future-state cybersecurity programs, and compare the two profiles in order to determine their priorities when developing action plans and roadmaps.

While the Framework itself is not legally binding, many organizations have begun to use it as a guide to security strategy, and it was a primary reference point for New York’s groundbreaking cybersecurity law for financial services companies. The Framework will likely be used as a template for any future cybersecurity laws drafted at the state or federal level.

Meeting NIST standards for data protection

Among the many changes federal agencies will need to make in order to meet NIST Framework standards, enhancing data protection should be a top priority. Increasingly-common data breaches have exposed the government’s vulnerability to hackers and spies, and the opportunities for compromise will only increase as government agencies shift toward cloud-based services and data storage. The “Protect” element of the NIST Framework Core specifically calls for protection of data at rest and data in motion, as well as technology that mitigates the impact of a data breach.

Persistent, data-level encryption is the best approach for protecting data at rest and data in motion. Unlike whole disk encryption or network-based encryption approaches, persistent encryption remains with data even when it is copied or shared outside an organization’s network.

PKWARE’s Smartcrypt is the only encryption platform that delivers persistent protection across the entire enterprise, eliminating gaps in protection that other solutions fail to address. If your organization is looking for ways to enhance data protection and meet NIST Cybersecurity Framework standards, find out how Smartcrypt can help you meet your security and compliance goals.