The way some in the United States government and the private sector describe it, the cybersecurity checklists provided by the National Institute of Standards and Technology are onerous requirements that do not automatically translate to better protection. To others, the NIST framework is a battle plan to defend American government and private networks from an onslaught of hackers.
But to all, the NIST guidelines are at the center of a debate about how — and if — the United States government and American businesses can protect sensitive data amid what intelligence and Pentagon officials call a sustained campaign of hacking from China and other foreign countries.
The NIST guidelines provide a framework for how every federal government agency from the Pentagon to the U.S. Postal Service should protect its computer networks systems. Even some businesses voluntarily choose to comply with them because of their comprehensive approach.
To Ron Ross, a fellow at NIST, the argument that compliance with the standards does not equal cybersecurity security is frustrating.
“You get this false argument that you are compliant but not secure. No, compliance does work,” Ross said. "Compliance has to be thought of not as a checklist but as implementing a good risk management program and approach to all of your information technology assets, all your systems and networks.”
“When you simplify the discussion to whether you are compliant or not, that makes no sense. Because compliance is following the NIST guidance, which is risk-based,” Ross said, adding the NIST standards include understanding threat actors, internal vulnerabilities and trying to reduce attack surfaces. For him, these are hardly a box to check off, but rather an approach to good cybersecurity.
As soon as next week, NIST will release its new risk management framework, which includes a new step that requires senior leadership to be involved earlier in the decision-making process when it comes to security and privacy.
“People say that all the time, 'Compliance is a checklist and just because you are compliant doesn’t mean you are secure.’ That’s not how we interpret compliance," Ross said.
Others disagree with the assessment of compliance.
Tom Etheridge, the vice president of worldwide services at threat intelligence firm Crowdstrike, said “being compliant and being secure are two separate things.”
“We have had a couple of commercial organizations call us up this year and they have said, ‘We just got done with our NIST compliance audit and we passed with flying colors, and now we want you to run a red team up against the organization,’” Etheridge said. “The red team is in within a day and the customer is like, ‘Thank god I am not relying on my old NIST-based compliance audit.’”
Etheridge also pointed to an example of a small government contractor who was “fully compliant with federal requirements” but was still hacked by a nation-state actor, likely through a web server vulnerability.
“If the government said a particular control was good enough, they implemented it and moved on. They were fully compliant, but in the end, suspected nation-state actors were able to infest their systems for years,” the company’s 2018 casebook says.
Some government officials have also told Fifth Domain that they feel burdened by the “checklist” security approach that is taken hold inside the U.S. government. One echoed the thoughts of Ethridge, saying that compliance does not equal security.
However, experts still say that the frameworks play an important role in cybersecurity, even if sometimes it’s just a preliminary one.
NIST standards “are not the end all be all, but they are really great step to get you where you want to be,” said Dan Medina, director of strategic and technical engagement at cybersecurity company Glasswall Solutions. “Quite frankly, if you are still using those checklists, then you might be ready for a new job because you should be well past that.”