NIST: Framework Getting Back on TrackFinal Cybersecurity Best Practices Guide Still Slated for February
The partial federal government shutdown caused the National Institute of Standards and Technology to miss the Oct. 10 deadline for publishing a preliminary version of the cybersecurity framework. But NIST still expects to meet the February deadline for releasing the final version of the voluntary best practices standards for protecting critical infrastructure IT.
See Also: Case Study: The Road to Zero Trust
NIST should know in the coming week when the preliminary version of the framework will be issued, says Jennifer Huergo, a NIST spokeswoman. But she says NIST will meet the deadline for the final version established by President Obama in an executive order issued last February (see Identifying Gaps in Cyber Framework).
The framework's preliminary version will be circulated well before the next cybersecurity workshop NIST will hold in Raleigh, N.C., on Nov. 14-15, where stakeholders will help shape the final version of the framework.
NIST is coordinating the public-private sector initiative to develop the framework that's designed to create IT security best practices that the nation's mostly privately owned critical infrastructure operators could voluntarily adopt. The White House had designated Oct. 10 as the day NIST should have issued a preliminary framework.
Nearly all NIST employees were deemed nonessential government personnel and furloughed during the 16-day shutdown, halting not only work on the cybersecurity framework but on its IT security and information risk guidance (see NIST Suspends Work on Obama's Cybersecurity Framework). There were no scheduled releases of NIST guidance during the shutdown, Huergo says.
IT Staffs Busy Restoring Services
Like most government agencies, the first days back from the 16-day partial government shutdown kept NIST's IT staff extremely busy.
"As expected upon our return, Internet bandwidth usage was much higher than normal, and reached the maximum capacity early Thursday morning [Oct. 17] as desktops were turned on, e-mail was downloaded and patches were downloaded and installed," Huergo says. "Our IT help desk experienced a much higher than normal volume of calls and requests. Calls were predominantly questions about the status of specific services and requests for assistance for password resets as some passwords expired during the shutdown."
At the start of the partial shutdown on Oct. 1, most government agencies, including NIST, disabled IT service access for mobile devices assigned to furloughed staff and spent the first day back reversing those changes.
Most federal agencies either created special pages informing stakeholders their websites were shuttered during the duration of the shutdown or posted notices that their webpages would not be updated during the shutdown.
Extra Time Needed on Some Systems
NIST spent most of the first day after the shutdown, Oct. 17, working to restore its homepage, although other pages - such as those linking to NIST guidance - were available earlier in the day. Copies of NIST guidance posted on its website were unavailable during the shutdown because the agency created specialized firewall policies as a security precaution to disable access to the publications and other agency services.
As Department of Commerce IT staffers discovered, restoring systems can take time. Huergo says IT staffers on the morning of Oct. 18 were still working on restoring to normal operations certain significant and critical portions of complex financial and business systems that support NIST and eight other Commerce Department agencies.
Though no reports have surfaced of security problems as agencies restored information systems, experts caution that IT and IT security staffs should be on guard for potential problems (see IT Seen As Vulnerable As Shutdown Ends). The experts highlight the need for agencies to patch applications as soon as systems are brought back up and to make sure systems aren't restored to default settings that lack security fixes.
Alan Paller, research director of the SANS Institute, an information education and certification organization, warns that hackers could have used the two-weeks-plus of the shutdown to plan ways to exploit vulnerabilities in systems as they're being restored but before patches and other fixes can be made. "The bad guys have had time to hone their tools," Paller says.