Ron Ross – WindowsTechs.com

NIST wants to the federal government to pay more attention to the supply chain

Posted on May 10, 2018 by Sean Lyngaas

A federal IT standards body has moved to add key supply-chain provisions to its risk management guidance at a time of growing concern that Russian and Chinese companies pose a threat to national security. The National Institute of Standards and Technology on Wednesday released a draft update to its influential Risk Management Framework, which federal agencies use to assess cyber risk. The provisional update includes measures to guard against untrusted suppliers and the possibility of hackers slipping malicious code into the supply chain. Defining — let alone securing — all the components and systems that organizations get from third parties can be a struggle, according to the document. One answer, NIST says, is building “a chain of trust” with suppliers to ensure that each one of them provides adequate security protections for their products. The new measures are critical because of the globalized nature of the IT supply chain, according to NIST fellow Ron Ross, one of the publication’s authors. […]

The post NIST wants to the federal government to pay more attention to the supply chain appeared first on Cyberscoop.

Continue reading NIST wants to the federal government to pay more attention to the supply chain→

NIST engineering guide update provides advice for securing legacy IT systems

Posted on March 21, 2018 by Shaun Waterman

The National Institute of Standards and Technology canonical Systems Security Engineering guide SP 800-160 provides a catalog of systems and procedures that developers can use to build secure IT networks from the ground up. The guide’s second volume, published Wednesday, shows developers how to use those procedures to shore up the security of older legacy IT systems in order to limit the access hackers have if they do manage to break in. Ron Ross, NIST fellow and the one of the agency’s cybersecurity experts, told CyberScoop it’s a needed corrective. “We’ve been too focused on penetration resistance, hardening the systems, trying to keep the bad guys out,” he said, “The problem is, with the incredibly complex IT systems we have today, there will always be an [effectively] unlimited supply of vulnerabilities that we can’t know about.” Nation-state hackers are sophisticated and persistent, Ross said: “The empirical data shows that you […]

The post NIST engineering guide update provides advice for securing legacy IT systems appeared first on Cyberscoop.

Continue reading NIST engineering guide update provides advice for securing legacy IT systems→

No longer ‘federal,’ no longer exclusively ‘cyber’ — NIST security controls break out

Posted on August 16, 2017 by Shaun Waterman

The National Institute of Standards and Technology has removed the word “federal” from the title of its magisterial catalogue of cybersecurity and privacy controls — one of a series of proposed changes they rolled out this week after a long delay. “The reality is, today we’re all of us — federal, state and local government and the private sector — using the same technologies … and facing the same [cyber] threats” as a result, said NIST Fellow Ron Ross. As they were doing the re-write — a year-and-a-half long process — the authors realized that in addition to their traditional “customer base” in the federal agencies mandated by law to use the controls in the catalogue, there were many others who might find it useful. So they changed the name of the catalogue, known as NIST SP-800-53, from Security and Privacy Controls for Federal Information Systems and Organizations, by cutting the word federal. SP 800-53 […]

The post No longer ‘federal,’ no longer exclusively ‘cyber’ — NIST security controls break out appeared first on Cyberscoop.

Continue reading No longer ‘federal,’ no longer exclusively ‘cyber’ — NIST security controls break out→