New NIST Guidelines Offer Starting Point for Cybersecurity

Important highlights about the National Institute of Standards and Technology (NIST) update of its guidance to organizations for assessing their internal security IT system.


The National Institute of Standards and Technology (NIST) has issued a final update of its guidance to organizations assessing their internal security IT systems.

The NIST “Assessing Security and Privacy Controls in Information Systems and Organizations” document advocates an assessment and procedures approach that provides guidelines on areas of the compute and network infrastructure to examine to discern security issues.

Some of the guidelines include improving organizational assessments of current cybersecurity infrastructure, promoting better cybersecurity awareness among users, enabling cost-effective security assessment procedures and privacy controls, and creating reliable security information for executives.

NIST’s assessment guidelines are comprehensive, but the approach is a potential problem in that it too reliant on self-assessments without a requirement for an external validation to ensure completeness.  Cybersecurity experts say that relying solely on these assessments is too much like “letting students write their own exam,” which could impact the integrity of the answers and invite shortcuts.

The rigorousness of the self-assessment is critical to the successful use of the NIST approach. For example, the TorchLight Ransomware Gap Assessment (RGA) is based on the NIST approach, but the assessment is done by a team of professionals who will return an assessment that is comprehensive.

This need for completeness shows up in the asset inventory – the list of devices and systems that make up a company’s threat landscape. This has always been a foundation of establishing strong cybersecurity response and needs to be done comprehensively to be effective. Companies without a firm grasp of the assets at their disposal could face foundational gaps in their security configuration and infrastructure.

Adding controls to the self-assessment, similar to how US Federal government agencies work – can add checks to the process that can be beneficial. I think that audits are important for  businesses, leading teams to defer policies and procedures.

My general recommendations for companies that are interested in taking charge of their security situation using NIST assessments, include:

  • An assessment approach that involves technically adept personnel who are outside the CIO office/IT department to give a fresh look at the infrastructure.
  • A strong asset model with a good understanding of inventory.
  • Configured change management system that cover all infrastructure – hardware, software, and cloud. This database needs to be updated with every device addition, change or software update.
  • Consistent audits by auditors that do not face retribution or can be validated by second parties – leading to a “trust, but verify” scenario.
  • Updated, well-developed topologies to guard endpoints and IoT from problems like ransomware.

Trust- and risk-based concerns about third-party monitoring are real, and are an issue that TorchLight continues to work on with its clients.  Still, sharing the responsibility and duties of implementing the NIST guidelines with a security partner can help companies pursue the highest quality of security infrastructure.