As reported in GCN on September 29th, the US National Institute of Standards and Technology (NIST) has published a 35-page draft cybersecurity self-assessment tool. The Baldrige Cybersecurity Excellence Builder provides an assessment of an organization's security maturity level. The document is open for public comment through December 15, 2016. NIST has also released a 97-page SP 800-177, Trustworthy Email, to address issues not covered by its basic email guidance document, SP 800-45, which was published nearly 10 years ago.
The Baldrige Cybersecurity Excellence Builder pulls together two prized Commerce Department initiatives. The new tool incorporates elements of NIST's Cybersecurity Framework, which was introduced in February 2014, and takes inspiration from the Baldrige Award, created in 1987 and named after the late Commerce Secretary Malcolm Baldrige.
The award resulted in the Baldrige Excellence Framework, which organizations can use to build performance-boosting programs. After that came the Baldrige Performance Excellence Program, managed by NIST, that also includes various self-assessment tools that can tell organizations how well they are doing.
The Cybersecurity Framework is proving to be as popular as the Baldrige program has been over the years, and there's hope it might be as effective. Though it has its critics, the Cybersecurity Framework has so far been adopted by around 30 percent of U.S. organizations, according to Gartner, and that's expected to rise to 50 percent by 2020. Pretty impressive numbers.
The new assessment tool guides users through a process that details their particular characteristics and strategic needs for cybersecurity and will enable them to:
- Determine cybersecurity-related activities that are important to business strategy and the delivery of critical services
- Prioritize investments in managing cybersecurity risk
- Assess the effectiveness and efficiency of using cybersecurity standards, guidelines and practices
- Assess cybersecurity results
- Identify priorities for improvement
At the end, the assessment will put the organizations at a certain maturity level -- reactive, early, mature or role model -- and from there, each organization can build out its own action plan for upgrades and cybersecurity improvements.
Email security has also long been a focus for NIST, with its Special Publication 800-45 providing basic guidance. However, the most recent version of that guidance was published in early 2007 and the universe of security threats has grown much larger.
The 97-page missive on Trustworthy Email, SP 800-177, seeks to plug the holes. Billed as complementary to 800-45, it provides more up to date recommendations for managing digital signatures, encryption, spam and more.
Man-in-the-middle attacks have become widespread, for example, as a way for bad actors to put themselves between the sender and receiver of a clear-text email so they can get information directly from the email. The NIST publication points out that these attacks can be prevented by encrypting email end-to-end and by implementing message-based authentication and confidentiality procedures.
Two good resources for all of us.
Hat tip to Dave Ries.
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology