Building codes. Atomic clocks. Aircraft instrument landing systems. Electronic health records. The National Institute of Standards & Technology (NIST) has had a hand in all of these advances — and many more.
While NIST has made immeasurable contributions to the nation’s scientific accomplishments, many of these are in the background. You may know that today’s buildings are engineered to withstand fire, but you probably don’t know that NIST is responsible for the research that made them so.
One of the more direct ways that NIST influences our daily lives is in the cybersecurity landscape. Beginning in 2014, the organization took on responsibility for defining cyber risk management for both federal agencies and private sector businesses that work with government data.
Today, many of the businesses you transact with (estimated at 50% of all companies) use a cybersecurity framework developed by NIST.
So how did the institute come to be so influential in cybersecurity? To learn more, let’s take a look at the history of NIST, its definition of security, and how the NIST standards came to be.
What is the history of NIST?
NIST was founded as the National Bureau of Standards (NBS) in 1901. But its roots go back even further: to the founding fathers, believe it or not.
In 1790, President George Washington observed in his first-ever message to Congress that “uniformity in the currency, weights, and measures of the United States is an object of great importance.” But it took more than 40 years for the federal government to issue standard measures for key agricultural and industrial units.
Around the turn of the century, the need became apparent for standards with more scientific validity. That’s why the NBS was created: to not only develop standards but carry out research related to standardization and the calibration of measurement devices.
“Congress established the agency to remove a major challenge to U.S. industrial competitiveness at the time—a second-rate measurement infrastructure that lagged behind the capabilities of the United Kingdom, Germany, and other economic rivals,” NIST’s official history explains.
What does NIST have to do with cybersecurity?
As that quotation demonstrates, NIST’s mission has always been to make American businesses more competitive and enhance the business environment. That’s why the institute is part of the U.S. Department of Commerce.
As more businesses embraced computers in the Seventies, it became clear that data security was necessary for the nation’s computing (and later internet) industry. Protecting people’s digital lives is, simply, good for business.
It was all the way back in 1972 — a year after email was invented — that the institute developed its first computer security program. In 2000, NIST defined the Advanced Encryption Standard (AES) — a big upgrade on the 1970s-era encryption then in use. In 2013, the President directed NIST to produce a comprehensive framework for cybersecurity.
“It is the policy of the United States to … maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties,” the 2013 executive order reads.
What are the principles that govern NIST’s cybersecurity framework?
The NIST framework is primarily a risk management framework that’s about cybersecurity risk management processes and procedures. In other words, it’s not a step-by-step checklist for improving security controls, responding to security risks, or becoming more resilient to threats. Instead, it offers a guide to help businesses weigh the risks of digital threats, manage their exposure to bad actors, and learn and improve.
The framework has 5 key functions:
In this phase, the organization identifies how cyber risks could disrupt its critical activities. It should define its existing digital properties, the risks to those properties, and the people involved in keeping the organization secure.
In the Protect phase, the organization outlines what safeguards are needed for it to deliver on its critical functions. These may include access control, user training, system maintenance, or other activities.
In the Detect phase, the organization names the measures it has in place to detect cyber risks — such as continuous monitoring and anomaly notification for key stakeholders.
The Respond phase is about how the organization handles legitimate threats. It may include forensic threat analysis, communication strategy, and the mitigation activities that are undertaken to keep threats from worsening.
The Recover phase defines the organization’s plans for resilience following a threat incident, including plans for restoring capabilities or services that were impaired.
The general nature of the NIST guidelines make them appropriate for organizations of all sizes, including small businesses. NIST has even published guides focused on small business cybersecurity to give them a clear understanding of how to adapt the framework to their needs.
What advice does NIST have about cybersecurity?
The NIST cybersecurity framework is for helping businesses with NIST compliance, not consumers. But the organization does publish tips and best practices for data protection that anyone can use.
In a blog post about cybersecurity and information technology for small companies, NIST has some good general tips for staying secure:
– Keep software up to date.
– Use firewalls built in to your operating system or provided through your ISP.
– Deploy wireless routers that use the latest security protocols.
– Regularly back up your important data using cloud infrastructure.
You can also participate in the development of the next generation of the CSF via webcasts and conferences, or by submitting feedback directly to NIST at its official website.
And while we have NIST to thank for keeping the internet secure from cyber threats, there’s much more the organization does — so browse their website to learn all about the history of the organization, the vital role it plays in research and public safety, and the many ways it touches our lives today.
Image courtesy NIST.