A Big Kudo for NIST
July 23rd, 2011
I just went back and looked over all the blog postings I have written over the years, only to discover that I never wrote even one about the National Institute of Standards and Technology (NIST). I admit that I have some biases about NIST, and that they are all positive. When the DOE CIAC incident response team that I started and managed was a fledgling entity, no US government agency or group stood behind CIAC more than did NIST. The major players there with whom I dealt at that time included Lynn McNulty, Stu Katze, Denny Steinauer, Marianne Swanson, John Wack and Lisa Carnahan. Afterwards retired Air Force officer Tim Grance came on the scene, and he added a special dimension of leadership.
CIAC was founded in 1988–a long time ago from a technology point of view. CIAC has come and gone, but NIST continues to be a very positive force in the information security arena. In particular, the NIST special publications have been helpful above all belief. In particular, I have a super high regard for NIST SP 800-030 because of its bringing risk analysis down to a feasible and practical level. There are so many books, Web postings and documents that espouse downright excessively complex and too oten confusing methods of risk analysis. NIST SP 800-030 bucks this trend, bringing risk analysis to the point of being very understandable and manageable. This publication permanently changed the way I conduct risk analyses; I am certain that I perform better risk analyses in less time because of this publication.
I won’t stop with NIST SP 800-030, however. NIST SP 800-053 is the most practical and understandable risk management guideline I have ever seen. Other laudable rivals such as ANZ 4360 and the ISF’s Standard of Good Practice (SGP) exist, but NIST’s publication on risk management says what it says so succinctly and clearly that it once again stands out it my mind as the best in class.
How about NIST SP 800-061? If you want detailed guidelines and advice concerning how to set up and manage an incident response effort, this standard will be at the top of your list. In particular, I love this publication’s coverage of incident response metrics, a badly overlooked area, in this publication.
If you have been following my blog series over the last three and a half years*, you’ll notice all the attention I have paid to mobile device security. I, however, am by no means any kinds of pioneer in this area. In contrast, NIST has published three special publications on mobile device forensics, the first of which is NIST SPs 800-101, Guidelines on Cell Phone Forensics. Additionally, NIST has published two other highly useful cell phone forensics documents:
- Cell Phone Forensic Tools: An Overview and Analysis. National Institute of Standards and Technology review of forensics products. http://csrc.nist.gov/publications/nistir/nistir-7250.pdf
- Mobile Forensic Reference Materials: A Methodology and Reification. http://csrc.nist.gov/publications/nistir/ir7617/nistir-7617.pdf
Are you worried about mobile code and executable content language security? See NIST SP 800-028, “Guidelines on Active Content and Mobile Code.” If you want to start and sustain a patch and vulnerability management program, download NIST SP 800-040. If you want to set up and manage an information security awareness and training effort, see NIST SP 800-50, “Building an Information Technology Awareness and Training Program.”
I am sure that by now you have gotten my point. NIST is cranking out all kinds of extremely useful information security standards and publications. Sadly, not all departments, agencies and offices within the US government are supportive of NIST’s efforts. Bureaucracies are not ideally suited for those who are highly productive, after all. But let’s hope that NIST continues its leadership in coming out with all the highly useful standards and publications that it has been producing in the information security arena.