Inside NIST's cybersecurity strategy

For Kevin Stine and the rest of the team in the computer security division at NIST’s IT laboratory, cybersecurity is all consuming. The threats and attacks continue to grow and evolve. And cyber’s profile on the national scene has never been higher.

As the manager of security outreach and integration, Stine’s role is to take the standards, guidelines and NIST research and development and apply it all to different sectors and users such as health IT, smart grid and supply chain risk management.

He spoke recently with Editor Nick Wakeman about trends in cybersecurity.

Washington Technology: When you look at the next 12 to 18 months, what are NIST’s goals?

STINE: There are no shortage of priorities but we’ve focused on four:

Mobile security, and not just the device perspective but how do we protect data and information in a mobile environment and in different use cases, such as health IT.

Second is information security continuous monitoring. There is push across government. Not just guidelines but getting into the more technical underpinnings to enable the exchange of security data and leverage security automation work that’s needed for continuous monitoring. There is great value in the exchange of data and interoperability between different security tools and technologies and then aggregating that data and making decisions based on that data.

Third is identity management with standards work and personal identity verification cards and HSPD-12 that continues to be implemented.

The fourth focus is the SHA-3 Hash algorithm. We have a competition to identify a new national standard for a cryptographic hash algorithm. The public competition started in 2007. These things take a long time because of all of the development work that has to happen.

WT: Why are these important priorities?
STINE: They align with national priorities and the administration’s priorities. And we want to stay current with technology and future and near future technologies that are coming down the pike. We also need to respond to our stakeholders and customers.

WT: Why is automated reporting important?
STINE: If you can get the different tools and technologies operating in our environment to share data and then you can aggregate that data, you then have a larger set of information to correlate and make more informed decisions. A lot of our work is on the technical specifications that will let those tools communicate and allow greater analysis to take place.

WT: What advice do you have for agencies and contractors on how to set their cyber priorities?

STINE: We don’t really offer advice but we are consulted on standards and technologies. Most of our input to federal agencies and contractors is that agencies need to understand their data and the value of their data and the threat environment in which they operate.

They need to conduct a good risk assessment to understand the risks they face and then to identify the security controls they need to have to reduce those risks to an acceptable level.

WT: How should agencies separate cyber hype from substance?
STINE: There are a few things they should try to do. One is to understand their challenges and use case and to understand their technical environment.

If they have those, they can drill down into the services being offered or the technical capabilities of the product being offered to determine if those products or services fit their use case.

With any request for products or services, they need to check references, and to the extent that they can, they should try different solutions within their infrastructures.

Try before you buy, so to speak, to get some hands on experience and see how it responds to their needs.

WT: Any advice for contractors?
STINE: They need to stay abreast of the technology trends as well as the standards in the space and how the trends are impacting government activities across different missions.

The government touches nearly every industry you can think of, so there is an amazing breadth and depth of activities and missions that contractors need to stay abreast of and how technology impacts them.

Companies should engage government agencies through different working groups and forums to understand the needs of the agencies and the agencies’ constituents and stakeholders.

WT: Any online resources that you recommend?
STINE: The Computer Security Resource Center at NIST – csrc.nist.gov. That is the online site for standards and guidelines. There are descriptions of our key research areas and projects. There is contact information as well.

And the National Cybersecurity Center of Excellence – csrc.nist.gov/nccoe. That is a public-private collaboration to accelerate the widespread option of integrated cybersecurity tools and technologies.