New NIST Security Guidelines Raise the Bar

On May 12th President Biden signed the Executive Order (EO) on Improving the Nation’s Cybersecurity. It focused most specifically on critical infrastructure, but a closer examination of all that is involved reveals that cyber security will be required in the fulfillment of the order. It will undoubtedly raise the bar for information security across the board for all U.S. government entities and—importantly—their suppliers. This is more than a nod of acknowledgement that our country is woefully behind in the race to become a leader in defense. Our Defenses have always seemed to take a back seat to building our offensive capabilities, regardless of which aspect of defense is assessed. The President obviously intends to see agencies bring about a significant improvement in their operations.


The EO set specific dates by which NIST was to complete its research. The agency was asked to provide guidance for the nation. First, on the definition of critical infrastructure (released at the end of June) and then on leading practices to effectively address the nation’s current and foreseeable risks. NIST released the latter on 8 July. Although the authors stressed that the content should be considered initial guidance rather than a comprehensive plan, the baseline contained in the publication is obviously above what is accepted as the “norm” for many government service organizations.


For instance, the very first objective listed in the most recent guidance is to implement multi-factor authentication (MFA). That alone is pointing at the plethora of legacy software still supported by the greater portion of the government’s operations and calling for an intensive adjustment. Yet, the guidelines do not stop there, pointing out that the MFA implementation must be impersonation-resistant, thereby excluding source address, email delivered codes, etc. as optional second factors. That’s a theme that is seen throughout the publication: it’s not enough to take decades-old systems into the 21 st Century, updating to yesterday’s acceptable solutions. The EO and NIST are citing the need for forward-looking security planning.


Speaking of planning, the EO did not circle agencies alone in its scope. The Office of Management and Budget (OMB)—the agency that holds the purse strings for many other agencies—has been ordered to start incorporating the NIST guidelines. They should be included in its expectations for services provided to the government by third parties. The private sector is going to have to step up its game as well in order to win government contracts. As a good rule of thumb, when you see a baseline adjustment in requirements from an entity as large as the U.S. government, it’s a safe bet that a sea of change is coming for business requirements around the world.


Webcheck Security is a powerful ally in securing success for you, and your organization, during these times of change. With Fractional Information Security Officers (FISOs) ready to guide you to the most efficient path in accomplishing your objectives and a penetration testing team that goes the extra mile in ensuring your defenses are operating at expected levels. Webcheck will save you time and money, while improving goodwill across your customer base.


To learn more visit WebcheckSecurity.com