My organization was recently successfully assessed as compliant with NIST 800-171 by a major component of the U.S. Department of Defense. At almost the same time we were assessed for certification under the ISO 27000 series. My team diligently documented how we support the numerous controls with those two similar, but different, cybersecurity compliance assessments — essentially creating two different sets of compliance documents that map the controls to our policies, procedures, and technologies.
I’m sure I’m not the first person to question the value of having multiple standards for the same functionality. To explain further, let’s for a moment envision a similar scenario familiar to everyone. What if we had many standards for the safe delivery of electricity? What would be the result?
Although it may seem far-fetched, it actually happened. In 1893 the Chicago World’s Fair was put in jeopardy because the insurance industry refused to insure the event, which featured a new, unproven, and dangerous technology — electricity. The resolution of that dilemma spawned both the creation of Underwriters Laboratory and eventually the National Electrical Code (NEC). But not immediately. It took more than four years before all of the standards started to coalesce into the NEC, which has continued to evolve since 1897.
Why is this important to the approach for cybersecurity? The answer: language. To solve the cybersecurity dilemma requires a consistent, clear, and unambiguous language about what we need to do, and how to do it. The NEC is successful because it defined a common way to refer to all aspects of electrical safety that could be easily understood and consistently applied. We need the same approach for cybersecurity.
The approach to cybersecurity is fragmented throughout the world, driven by products that solve pieces of the problem, but lead to inconsistent strategies. The problem is compounded by competing standards, which have overlaps, gaps, and inconsistencies in both descriptions and approaches. The entire industry is mapping from one standard to the next; resulting in higher costs and uneven results.
How can this be fixed, and where to start? Cybersecurity is actually dramatically more complex then electricity; yet establishing a Uniform Baseline Cybersecurity Standard needs to begin immediately. Starting with establishing the absolute minimum basics for an organization. Two recent events may be leading the way to creating a minimum baseline. The first is the passage of the Ohio Data Protection Act, a state law that provides for an affirmative defense when an organization can demonstrate that it has established the security controls in one of a number of Cybersecurity standards, including NIST SP 800-171 (NIST171). The second is a U.S. Government mandate that requires government contractors to be compliant with NIST171 (one specific standard). If these contractors handle Controlled, Unclassified Information (CUI) within their networks.
Why choose NIST171 as a starting point? It is the closest we have to an absolute minimum for a comprehensive cybersecurity approach. The National Institute of Standards and Technology (NIST) created NIST171 to solve a fundamental problem the U.S. Government was experiencing—the protection of sensitive, U.S. Government data CUI that was not national-security-related and was often stored in information systems run by contractors. Those contractors were not bound by the same rules as the U.S. Government. Ironically, contractors were discouraged from investing in cybersecurity because of cost concerns in a very competitive environment. The creation of NIST171 occurred at the same time that contractual requirements were being changed to introduce NIST171 as a minimum requirement.
The first step in the realignment of contractual requirements occurred in 2017 with the revision of the Defense Supplement to the Federal Acquisition Regulations (DFAR). That revision added a clause titled: DFAR 252.204-7012 - Safeguarding covered defense information and cyber incident reporting. The clause requires defense contractors to comply with NIST171 by January 1, 2018. The clause also requires all subcontractors, at all tiers that support the prime contractor, to also meet the minimum cybersecurity standard. The Federal Acquisition Regulations (FAR) will be updated in 2019 to require the same minimum cybersecurity standards for all contractors to the U.S. Government (not just defense contractors).
Where does this leave us? A Uniform Cybersecurity Baseline would develop a common language and drive comprehensive approach for cybersecurity. NIST has created a standard, supported by legislation that takes a proactive approach towards cyber liability. The U.S. Government is mandating compliance with NIST171 for all contractors that handle CUI. Furthermore, of all the standards for creating a comprehensive cybersecurity approach, NIST171 is arguably the absolute minimum that organizations should be doing.
Once a minimum standard is established throughout the government, the next question to ask might be, “What is my CUI?” The reality is that all organizations, both government and commercial, have sensitive information not described by an existing compliance regimen (for example PCI, HIPAA, HITECH, etc.) but would be detrimental, if not devasting, if it were compromised. How do you know that it is protected?