The National Institute of Standards and Technology has published a draft of its objectives for cybersecurity standardization, following in many ways the consultative model that it used successfully in drafting the NIST Framework for critical infrastructure cybersecurity.
The NIST international standards report, published August 11, encourages federal agencies to support development of international consensus standards in many cybersecurity areas, including cryptographic techniques, IT system security evaluation, identity management, network security, software assurance, and supply chain risk, among others.
The report strongly endorses the adoption of international consensus standards, over promulgation of government specific standards, because among other considerations, they are more likely to address and maintain market relevance, benefit from an open and transparent development process, and are more likely to be widely adopted.
Perhaps the most useful segment of the NIST report is a matrix, backed by a comprehensive and well-documented analysis, of the current state of standards development in 10 core areas of cybersecurity standardization. It identifies those areas where standards are in development or are needed in a half-dozen key IT applications, such as cloud computing, industrial control systems and health IT. This matrix provides a roadmap for establishing the priorities that agencies and industry may use adopt in developing critical cybersecurity standards.
As with its critical infrastructure Framework process, NIST is seeking public comment on the draft report for inclusion in its final report to Congress. Comments may be submitted through September 24, 2015 addressed to: [email protected] (Subject: “Comments on Draft NISTIR 8074”). Comments Templates may be found at: http://csrc.nist.gov/publications/drafts/nistir-8074/nistir_8074_vol1_draft_comment_template.doc.