NIST Continues Leadership on Security and Privacy, Addressing Mobile Security in the Enterprise
On November 4, the National Institute of Standards and Technology's (NIST) National Cybersecurity Center of Excellence (NCCoE) released a draft cybersecurity practice guide for mobile device security. Comments are due January 8, 2016. This is one more example of practical guidance being explored by this non-regulatory agency, which will help companies navigate security challenges, but which may animate future standards of care and regulatory expectations. As explained in a previous article, NIST is playing an increasingly critical role in cyber and privacy, though its activities are not subject to regular administrative agency procedures or judicial review.
This lengthy draft guide addresses mobile security, an area of increasing federal attention. For example, the Federal Trade Commission has been looking at mobile security lifecycles.
Draft Guide Content
“Mobile devices extend or eliminate the notion of traditional organization boundaries, posing challenges that nearly all businesses regardless of sector or organization size” face, said NCCoE Deputy Director Nate Lesser in a November 4 news release announcing the draft guide.
The NIST draft guide explains that existing technologies can assist companies trying to elevate the security of data that resides on employee-used mobile devices. The guide includes a “typical” IT scenario that “shows organizations how to configure a device so that it can be trusted” and how to deal with contingencies like lost or stolen devices.
- Identifies the security characteristics needed to sufficiently reduce the risks from mobile devices storing or accessing sensitive enterprise data.
- Maps security characteristics to standards and best practices from NIST and other organizations.
- Describes a detailed example solution, along with instructions for implementers and security engineers on installing, configuring, and integrating the solution into existing IT infrastructures.
- Selects mobile devices and enterprise mobility management (EMM) systems that meet the identified security characteristics.
- Provides an example solution that is suitable for organizations of all sizes and evaluates the solution.
NIST takes pains to make clear that it is not endorsing particular solutions or vouching for their adequacy under divergent regulatory regimes. Nonetheless, given NIST’s role as a clearinghouse and catalyst for best practices and innovation, those managing mobility, particularly in a bring your own device (BYOD) environment, should pay attention to what NIST is doing.
More from NIST
The private sector can expect more such guidance on varied security and privacy topics. According to NIST, “The guide is part of the center’s new series of publications, called NIST Cybersecurity Practice Guides (Special Publication Series 1800), which target complex cybersecurity challenges in the public and private sectors. The practical, user-friendly guides show members of the information security community how to implement example solutions intended to help them align more easily with relevant standards and best practices.”
The NCCoE works to address “businesses’ most pressing cybersecurity problems with practical, standards-based solutions using commercially available and open source technologies.”
NIST is extremely influential in developing cyber standards. NIST took the lead in developing the Cybersecurity Framework for Critical Infrastructure, a comprehensive and widely used risk-based approach to evaluating and moving forward on cyber preparedness. NIST’s Computer Security Division manages the Computer Security Resource Center, which facilitates “sharing of information security tools and practices, provides a resource for information security standards and guidelines, and identifies key security web resources to support users in industry, government, and academia.” The Computer Security Division plays a role in topics as varied as biometric standards, health information technology, supply-chain risk management, and cyber-physical systems.
In a world of risk management and post-hoc enforcement for perceived security and privacy lapses, the private sector should be engaged and observant when it comes to NIST’s activities.