In The News

Cybersecurity Practical Guide to be Published on NIST in 2022

The National Institute of Standards and Technology plans to publish various volumes of its forthcoming Cybersecurity Practice Guide throughout 2022 and beyond.

NIST’s Cybersecurity Center of Excellence formed a Zero Trust Architecture Working Group in October, composed of 20 companies that are looking to build and document several builds, so it’s difficult to say when exactly the project will end, according to an agency spokesperson.

A description of the practical steps needed to implement the cyber reference designs for zero-trust security, the guide will be the end result of NIST’s Implementing a Zero Trust Architecture Project.

“I think what COVID did is it shined a light on, one, there are a lot of devices that weren’t secured that needed to be secured because people were working from home,” Tony D’Angelo, vice president of public sector at Lookout, told FedScoop. “And, two, some of the access that was previously had might have been unclassified email and things that were probably less sensitive, but the demand for accessing more sensitive data from phones and tablets is certainly increasing.”

Mobile security only has about 30% to 35% market penetration, despite about 70% of federal data being accessed using mobile devices, so there’s a “mismatch” there D’Angelo said.

Lookout, a San Francisco-based mobile threat defense company, is part of NIST’s working group and pushing for the Cybersecurity Practice Guide to encourage agencies to secure mobile endpoints, data and apps in the cloud, and data and apps on premise.

Lookout is interested in promoting virtual private network (VPN) replacement, continuous risk assessment and continuous conditional access as the practice guide is developed.

“VPN still does what it’s supposed to do, but it’s a snapshot in time of assessing risk on a particular device and user,” D’Angelo said. “The objective moving forward is to look at continuous risk assessment, so really drive zero-trust continuous conditional risk around policy enforcement and effectively have that adapt dynamically and continue to change depending on the risk level.”

That means it will be important for agencies to know the sensitivity level of particular data, so they can apply security policies based on that information. Ideally the Cybersecurity Practice Guide will not only be a best practices document, but a policy engine for agencies to enforce zero trust, D’Angelo said.

“It will focus on different types of solutions but, overall, a general architecture and a blueprint for different agencies to follow,” he said. About NIST’s Cybersecurity Center of Excellence

This public-private partnership enables the creation of practical cybersecurity solutions for specific industries or broad, cross-sector technology challenges. Working with technology partners—from Fortune 50 market leaders to smaller companies specializing in IT security— the NCCoE develops modular, easily adaptable example cybersecurity solutions demonstrating how to apply standards and best practices using commercially available technology. The NCCoE documents these example solutions in the NIST Special Publication 1800 series, which maps capabilities to the NIST Cyber Security Framework and details the steps needed for another entity to recreate the example solution. The NCCoE was established in 2012 by NIST in partnership with the State of Maryland and Montgomery County, Md.