In 2020, NIST prioritized helping individuals and organizations shift to a more online environment to keep people safe and our economy productive. Despite the many challenges brought by the pandemic, we were fortunate to be able to continue our work on an array of new resources to help manage cybersecurity and privacy risks. As NIST looks ahead to the “new normal,” we plan to build on lessons learned during the pandemic and to be even more strategic in anticipating and tackling the many challenges ahead.
We’ve made New Year’s resolutions: to increase our attention on managing cybersecurity risks as part and parcel of the larger enterprise risk, to pay greater heed to the intersection between cybersecurity and privacy, to stress the cybersecurity of systems versus components, and to engage more forthrightly internationally and in our cross-cutting standards work.
So, what can government agencies, private sector organizations, and others who rely on NIST look forward to when it comes to assistance with cybersecurity and privacy-related matters in 2021? Here’s a brief preview, organized to highlight our decision to focus on nine priority areas for the next several years.
We’re fully engaged in our enhancing risk management initiative to produce a coordinated and cohesive portfolio of complementary resources that can be used individually or together to help public and private organizations at all levels of the enterprise. This spring we’ll seek public comments on the Cybersecurity Framework (CSF) — how it’s being used and how it could be improved. We won’t be looking at the CSF in isolation. NIST will want to know how we might better mesh the CSF with the NIST Privacy Framework (PF), the NIST Risk Management Framework (RMF), and supply chain risk management approaches as well as with enterprise risk management (ERM). We also will issue CSF profiles for Positioning, Navigation, and Timing Services (final), election systems (draft), and the maritime sector (draft).
We’ll soon propose a revision to “Supply Chain Risk Management Practices for Federal Information Systems and Organizations” (SP 800-161). That’s a key NIST Cyber-Supply Chain Risk Management (C-SCRM) document relied upon heavily in the private and public sectors. And we’re preparing to release a collection of key practices and recommended activities, and will share more information on a new forum for federal agencies and their contractors to convene and share ideas regularly on C-SCRM issues.
Among the other new and updated guidance federal agencies can expect are the final versions of Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST SP 800-171 and a revision to NIST SP 800-53A, which provides procedures for assessing security and privacy controls. Comments are due in March to NIST’s recently proposed revisions to the venerable Security Guide for Interconnecting information Technology Systems (SP 800-47), which adds much-needed emphasis on protecting information exchanged across organizations and the risk basis for information exchange decisions. Importantly, we are expanding the formats, sources, and data sets of our central security control catalogue to allow for tool users, developers, and automated techniques to take full advantage of this resource.
We’re off to a quick start — literally — in the privacy arena in 2021, having released a quick start guide to the increasingly popular voluntary NIST Privacy Framework. Nominally for small and medium businesses, this guide can help any organization with constrained resources get a risk-based privacy program off the ground or improve an existing one. We’ve also released a much needed stakeholder-contributed crosswalk between the California Consumer Privacy Act (CCPA) and the Privacy Framework.
Strengthening cryptographic standards and validation has long been a mainstay of NIST’s cybersecurity efforts, and 2021 will be no different. Examining new approaches to encryption and data protection that will protect from a quantum computer’s assault, NIST’s competition “selection round” will help the agency decide on the small subset of submitted algorithms that will form the core of the first post-quantum cryptography standard. NIST will move closer to releasing the initial standard for quantum-resistant cryptography, which will be unveiled in 2022. Before then, very likely this year, NIST will select winners in a competition to solicit, evaluate, and standardize lightweight cryptographic algorithms suitable for use in constrained environments where the performance of current NIST cryptographic standards is not acceptable.
With cybersecurity awareness, training, and education and workforce development more critical than ever, the NIST-led National Initiative for Cybersecurity Education (NICE) this year is stressing the importance of Competencies as a way to describe cybersecurity skills and to communicate between employers and learners. Stay tuned for the release of materials on those competencies to supplement the Workforce Framework for Cybersecurity (NICE Framework). NICE also will share an Implementation Plan for the NICE Framework goals — and begin to document progress.
Throughout the year, expect more details about…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
