NIST Seeks Input on Cyber Resiliency Guidance
With the proliferation of ransomware attacks on a variety of systems, it’s no longer a matter of “if” an organization’s IT infrastructure will be breached – just “when.” NIST has responded with a new guidance drafted to address how to mitigate damage from a successful cyberattack on your system.
NIST currently is seeking public feedback on its 264-page document entitled “Draft NIST Special Publication 800-160, Volume 2, Revision 1, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach.” This document shifts away from typical, perimeter-based defense mechanisms and provides insights and resources to help entities prepare for now seemingly inevitable ransomware attacks and other cyber threats.
Anyone interested in providing comments and feedback on the guidance has until Sept. 20 to do so.
The guidance is intended to be used with previously released NIST publications associated with system life cycles and cybersecurity and as a supplement to an international standard. NIST officials describe the new guidance as a “catalog or handbook” to help organizations zero in on cyber resilience outcomes drawn from a perspective that combines risk management and life cycle processes.
The need for such risk management guidance has become necessary because of the vast amount of cyber-contested landscapes. The expectation is no longer if organizations will experience a cybersecurity breach, but when. And this guidance will help organizations be able to limit the damage once a threat actor is inside their network as well as recover faster.
One change created with this guidance is the updates to the controls that support cyber resiliency to ensure they are consistent with NIST SP 800-53, Revision 5, or the catalog for Security and Privacy Controls for Information Systems and Organizations.
Also, this resiliency draft standardizes on a single threat taxonomy, which is a classification system for various types of cyberthreats. They use MITRE’s Adversarial Tactics, Techniques and Common Knowledge, or ATT&CK framework. Officials also provide a comprehensive mapping and analysis of cyber resiliency implementation approaches and supporting NIST controls to the ATTA&CK techniques.
If you need help reinforcing your cybersecurity stance through regulatory compliance and tightened controls, we can help. Contact 2W Tech today to get started with your Cybersecurity Compliance Program and let our IT consultants do the work for you.