The National Institute of Science and Technology (NIST) “aims to enhance economic security through collaboration between industry and academia.” They fall under the Department of Commerce. It was intended to increase the industrial competitiveness of the US when it was started in 1901. It still does that, essentially, and has grown with the changing times.
Most cyber professionals know NIST intimately. Their framework and best practices for cybersecurity are the benchmark for any company. This is important because the recommendations are not requirements – they are scalable and can be tailored for your business size and needs. The 5 functions of the framework are to:
1) Identify (figure out what you have that needs cyber protection),
2) Protect (create or adopt processes to protect the things you identified),
3) Detect (how you know you are being attacked),
4) Respond (respond to the attack), and
5) Recover (recover from the attack and get back to normal operations).
A revised (read: improved) cyber framework is being introduced in the near future. The NIST framework is adopted across the federal government and they want businesses to benefit from the information and best practices they have tested, researched and discovered in an ever-changing environment. It is truly meant to elevate the security and, by implication, success of small businesses.
Furthermore, this year, after some 2-3 years of development, NIST launched a Risk Framework for AI. The intent is to align internal culture with intended aims and societal values. Why? Even technologies that perform accurately can be harmful. They are also currently accepting members into their working group for generative AI (NIST AIRC - NIST AI Public Working Groups if you want to join).
I like NIST for other reasons, too. NIST also has guidance on information systems contingency plans, which is different from cyber security, because it is about business continuity plans. And (and I would be remiss if I didn’t mention them even though it is cybersecurity awareness month), NIST also cares about the climate and climate change. A LOT.
NIST recently released a report on strengthening wildfire preparedness across the US using data from the Camp Fire of 2018. It focused not only on what to do before the event (like, way before, like guidance on making structures and communities more fire resistant) but also how to create protocols for when there is no time to evacuate. How brilliant is that? They are addressing the we-did-the-right-things-and-we’re-still-in-danger reality of disasters using real data.
Gridlock is a very real concern with any type of evacuation…or being cut off from an escape route because the actually disaster blocked it. Some fires move too quickly (Maui) for evacuation to be a real option, so they are recommending safety zones.
The beauty of NIST is to share information, collaborate on ideas, and improve upon what has been done before…same with business continuity.
