NIST Updates Cyber Resiliency Guide to Account for Increasingly Sophisticated Threats

In a draft update to its flagship cyber resiliency publication released Thursday, experts from the National Institute of Standards and Technology offer a next-gen strategy for protecting critical information technology systems from their inside out.

The new, 264-page document—titled, “Draft NIST Special Publication 800-160, Volume 2, Revision 1, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach”—shifts away from typical, perimeter-based defense mechanisms. It provides insights and resources to help entities prepare for now seemingly inevitable ransomware attacks and other cyber threats. 

Those interested in offering comments and feedback on the guidance may do so between now and Sept. 20.

“Our customers are federal agencies, state and local governments, and private sector companies—both U.S.-based and overseas. Our customers come from all over the world and they will look at the draft document, and they will go through it with a fine-tooth comb,” Ron Ross, a NIST fellow and co-author of the draft, told Nextgov in an interview Thursday. “We put it out there and we get comments back within a 45-day period. Then, we take every one of those comments and we analyze them and we make improvements based on our customer feedback. The next publication of this document is going to be the final publication because the material is so important and we want to get it finalized as soon as we possibly can.”

Ross has worked in cybersecurity for more than 30 years. He’s been with NIST since 1997 and served more than 20 years in the Army prior to that. Currently, he operates within NIST’s Information Technology Laboratory. 

“I think public service has been almost a half-a-century for me,” he noted, “but I just love what I do.” 

And it shows. Ross underwent a full hip replacement a couple of weeks ago—right as this draft was coming to completion. He got home from the hospital knowing “this stuff had to move,” so he worked virtually from his recliner to help his small team see it through to an on-time publication. 

“I just turned 70 in March of this year and I could have been retired a long time ago—but I'm not going anywhere because I'm having fun,” he said. “And the mission couldn't be more important.”

This guidance is intended to be used in conjunction with previously released NIST publications associated with system life cycles and cybersecurity and as a supplement to an international standard. It serves as a “catalog or handbook,” officials note in the draft, to help organizations pinpoint cyber resilience outcomes drawn from a perspective that combines risk management and life cycle processes. They offer certain constructs—objectives, techniques, approaches, and design principles—which entities can adapt and apply to their new or existing environments. 

Ross and the other authors from NIST and not-for-profit organization MITRE, define cyber resiliency as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” Safeguards are essentially built and engineered into these systems. 

In the draft, the officials argue that such an approach is necessary for cyber-contested landscapes, such as those with advanced persistent threats. “Therefore, any discussion of cyber resiliency is predicated on the assumption that adversaries will breach defenses and that, whether via breaches or via supply chain attacks, adversaries will establish a long-term presence in organizational systems,” they wrote, adding that “the assumption of a sophisticated, well-resourced, and persistent adversary whose presence in systems can go undetected for extended periods is a key differentiator between cyber resiliency and other aspects of trustworthiness.”

Ross enjoys using analogies to help make sense of cybersecurity’s many complexities. The draft includes such a comparison to the human body, but to put this concept further into perspective, he offered another analogy about protecting a person’s home.

“In the past, if you can imagine, what we've tried to do is kind of like your house—you have a lock on the front door, maybe a deadbolt, maybe bars on windows—but you try to keep the bad guys out of your house,” he explained. Still, those external defenses may not always be strong enough to withstand such threats, particularly as they advance in sophistication. Once inside, the bad actors could target valuables like jewelry or coin collections, Ross said. 

“For this next generation of our defenses, we're still going to try to stop them—but what we're going to do in addition to that is bring in some additional things that can help limit the damage they can do once inside. And so, with the analogy of the house, let's say that the bad guys get in your front door. Now every room inside has either a vault or a safe,” he explained. “When we talk about cyber resiliency, we're talking about the ability to withstand and anticipate and absorb an attack, and have that system continue to operate, even if it's not in a perfect state.”

Ross also elaborated on several notable changes in the revamped document.

It includes updates to the controls that support cyber resiliency to ensure they are consistent with NIST SP 800-53, Revision 5, or the catalog for Security and Privacy Controls for Information Systems and Organizations. That document is one of NIST’s most downloaded publications, he noted, and this framework needed to reflect changes that came with an update to it last year. 

Further, this latest resiliency draft standardizes on a single threat taxonomy, which is essentially a classification system for various types of cyber threats. They use MITRE’s Adversarial Tactics, Techniques, and Common Knowledge, or ATT&CK framework. Officials also provide a comprehensive mapping and analysis of cyber resiliency implementation approaches and supporting NIST controls to the ATT&CK techniques.

“An adversary has a specific set of tasks they have to go through in order to be successful and the ATT&CK framework tries to break all of those elements down,” Ross explained. “There are massive numbers of tables that try to break down every type of adversarial tactic and technique. And then we try to propose the defenses that would be good for countering those particular techniques—so if the adversary does this, here's what we're going do to try to counteract that.”

NIST is set to distribute DevSecOps guidance and a major overhaul to its flagship systems security engineering publication later this year.

Ross said he hopes those, along with this draft, leave the public with a sense of optimism. 

“A lot of times when we're faced with these ongoing destructive cyberattacks, and we see the ransomware attacks, and we see the pipeline that got hit, and we see all the different tech companies and all that—it can get a little disheartening. The adversaries can wear you down. But you’ve got to be optimistic, and we have a tremendous number of tools and techniques now that are coming out from the NIST inventory,” he noted. “We can't just throw our hands up and say ‘we surrender.’ We are going to take those systems, and we're going to make them more cyber resilient so we can make the adversaries’ lives miserable.”