(September 22, 2016 – Jarret Cummings) The National Institute of Standards and Technology (NIST) has released three cybersecurity resources of potential interest to EDUCAUSE members:
- Baldridge Cybersecurity Excellence Builder: Key Questions for Improving Your Organization’s Cybersecurity Performance (DRAFT) (Comments due December 15, 2016)
- Assessing Threats to Mobile Devices & Infrastructure: the Mobile Threat Catalogue (DRAFT) (Comments due October 12, 2016)
- NIST Special Publication (SP) 800-177: Trustworthy Email (FINAL)
NIST intends for the Baldridge Cybersecurity Excellence Builder (BCEB) to assist organizations in assessing their effectiveness in planning for and managing cybersecurity risks. The framework specifically avoids delineating “one-size-fits-all” approaches to cybersecurity, but rather focuses on helping users to think through effective policies and strategies based on their organizational context. It addresses issues such as:
- Determining key cybersecurity activities based on business strategy and critical services;
- Prioritizing cybersecurity investments from a risk perspective;
- Optimizing cybersecurity awareness and compliance across employees and stakeholders; and
- Assessing cybersecurity efficiency, effectiveness, and improvement options.
NIST has made this resource available in draft form to encourage feedback from potential users ahead of a formal “version 1.0 release.” Comments are due via email to [email protected] by December 15, 2016. NIST requests input on the following issues in particular:
- “the relative value of different parts of the BCEB for assessing your cybersecurity risk management efforts,
- perceived gaps in the BCEB, and
- the user-friendliness of the BCEB.”
2. Assessing Threats to Mobile Devices & Infrastructure: the Mobile Threat Catalogue (DRAFT)
This NIST resource combines a catalogue of cybersecurity threats and vulnerabilities, as well as associated mitigation strategies, related to mobile data/telecommunications devices and infrastructure (e.g., smartphones) with a report that reviews the overall cybersecurity context for mobile cybersecurity. It’s largely intended for “[m]obile security engineers and architects” so they can “build threat models, enumerate the attack surface of their mobile infrastructure, and identify mitigations for their mobile deployments.” As higher education IT/security leaders and professionals must increasingly plan for and manage the intersection of campus and mobile networking and telecommunications infrastructures, however, they may find the report and threat catalogue useful in addressing that intersection within their institution’s overall cybersecurity strategy.
NIST has asked for experts and interested parties to provide input that would allow it to further strengthen and clarify the catalogue, with comments due via email to [email protected] by October 12, 2016.
3. NIST Special Publication (SP) 800-177: Trustworthy Email (FINAL)
NIST SP 800-177 provides guidelines and recommendations for enhancing the security of enterprise email; it reviews “state of the art email security technologies” for the detection and prevention of relevant security exploits such as phishing. Intended for email system administrators as well as cybersecurity and networking professionals, the report specifically focuses on guidance for “email content security [including] the encryption and authentication of message content using S/MIME (Secure/Multipurpose Internet Mail Extensions) and associated certificate and key distribution protocols.” The report is now in final form, although comments and suggestions for future updates may be submitted via email to [email protected].
Jarret Cummings is director of policy and government relations at EDUCAUSE.