Why has NIST been creating such a buzz lately? Earlier in the year I attended an invitation-only presentation hosted by the regional office of the FBI; a presentation given annually to all movers and shakers in the cyber community. It proved to be a most excellent presentation and an eye opener!
I’ll get to NIST in a minute – but first some stats:
The annual cost to the U.S. economy of counterfeit goods, pirated software, and theft of trade secrets is between $225 billion and $600 billion.
To achieve its strategic goals, China relies on various state-directed plans. These plans provide insight into the kinds of intellectual property and trade secrets the country targets and seeks to acquire from foreign sources. At present, China’s government has as many as 100 plans guiding China’s foreign acquisition in science and technology, and their scale and influence are impressive. Two of the most important among these plans include the 13th Five-Year Plan and the Made in China 2025 Plan.
The Made in China 2025 Plan lists 10 domestic Chinese industries in which China seeks to significantly reduce its reliance on foreign-produced technology and develop 70% of the components for these projects in China.
These include:
Computer numerical control machine tools and robotics
Aerospace equipment
Electric power equipment
Marine engineering equipment and high-tech ships
Agricultural equipment
Advanced rail transportation equipment
New materials
Energy-efficient and new-energy automobiles
Biomedicine and high-performance medical instruments
This article could go on for several pages, listing specific cases and cyber thefts (as well as physical theft) and I haven’t even discussed what’s happening from Iran and other states. One Security Operations Manager recently showed me the Iran-origination IPs that had been attacking his clients - but now to the NIST connection.
The National Institute of Standards and Technology has been releasing cybersecurity frameworks and guidelines since 2003 to protect the nations interests and infrastructure.
Regarding the stats above, DFARS or NIST 800-171 is a set of standards that define how to safeguard and distribute material deemed sensitive but not classified. NIST 800-171 was developed after FISMA (Federal Information Security Management Act) was passed in 2003, resulting in several security standards and guidelines.
Many subcontractors in the private sector manufacture widgets, devices, or have processes, intellectual property and technologies that relate to many of the desirable components listed above. NIST is a standard of compliance that can provide government or private sector contractors with some assurance that their business, data, processes and technologies are operating at an acceptable level of security.
Problem is, many good companies – even multi-million dollar ones – have good IT personnel, but lack the resources to assess, remediate and maintain the appropriate controls, policies and procedures.
Here are three key actions which are not difficult to complete:
Get a NIST Control Gap Assessment. At a fraction of a percentage of the cost of fines, fees, business loss and all costs associated with serious data breach incidents, this is a must-do investment.
Hire a Reputable Penetration Test Company. How “hackable” are you not only from the outside, but from the inside? A good external and internal test (and web application if applicable) is a small price to pay to know the answer. Indeed, it is a control found in NIST and all cybersecurity frameworks.
Engage a Fractional CISO to Kick Off Your Cyber Roadmap. A Chief Information Security Officer is usually not found in many companies, even as they approach $1 billion in revenue. It is critical to engage with an experienced contractor, with years of senior experience, who has the ability to align business interests and protect its assets with NIST or other frameworks.
There are many tactical activities which will result from the three simple actions above. The immense change in an organization’s cyber posture will exponentially accelerate upon their completion.