The 35-day government shutdown that stretched from the end of December 2018 to the end of January 2019 left some information security professionals in a quandary: they no longer had access to the resources they needed to comply with security standards established to help public and private entities protect data and systems.
The rationale behind the decision by the National Institute of Standards and Technology to take down its website was that workers could no longer update their resources and therefore declared current because nearly 85 percent of NIST staff members furloughed. As a result, when anyone tried to access information security documents from the NIST website during the shutdown, here’s what they saw:
“We got a lot of negative email on that,” said Ron Ross during a March 26 fireside at the RSA Federal Summit. Ross is a fellow at NIST who focuses on cybersecurity, systems security engineering, and risk management.
Indeed, the move also spurred a notable response on social media. NIST standards are used not only by government agencies but also by private sector companies, including government contractors. As one private sector chief information security officer said in a LinkedIn post, “NIST just crippled portions of the website so that we could not access the documentation that taxpayers have spent millions of dollars on.” He went on to call NIST’s decision to remove access to some of its already existing resources “infuriating to those who rely on having NIST around to help with cybersecurity progress,” spurring “powerful reaction from people who care about the state of our digital resources.”
But why would real-time access to standards be so essential? What resource could be so critical that technologists across sectors would rage over a one-month outage? Consider this scenario: another LinkedIn user pointed to his project, which involves testing software for common vulnerabilities using the National Vulnerability Database hosted online by NIST. When NIST went offline, his software broke.
Ross acknowledged the issues, and said NIST convened a committee to determine how it might function the next time a shut down might occur. One possibility, he said, is that agency leadership is considering keeping the website up, but with a disclaimer that content would not be updated until government reopened and employees returned to work.
“That makes sense to me,” Ross said. "Content has been developed, why shouldn’t you have access to it? Just because we’re shutting down doesn’t mean you have to shut down as well. There can be a big impact on private sector companies who are relying on our guidance to do their day-to-day operations. So hopefully we’ll fix that.”