Data protection in focus®
NIST continues to work on several cybersecurity and privacy workstreams of interest to the private sector. While NIST has traditionally supported federal agencies’ IT security, in recent years it has adopted (and delegated) multiple workflows under executive orders and statutes to address multiple aspects of privacy and security, including key areas of technological innovation. Examples of open workstreams that can impact the private sector include:
- Mitigating AI/ML Bias in Context: Establishing Practices for Testing, Evaluation, Verification, and Validation of AI Systems Comments were due by September 16, 2022. NIST undertakes several efforts to study aspects of emerging technologies, including artificial intelligence and machine learning. In addition, NIST is developing an AI Risk Management Framework (RMF), and comments on the latest AI RMF draft are due September 29. It is critical that organizations educate government on the consumer benefits and risk management innovation of using AL and ML across the private sector.
- Implementing a Zero Trust Architecture (Preliminary Draft), Comments are due by September 9, 2022. This workstream is one of many efforts aimed at implementing zero trust security concepts or helping agencies meet executive branch guidelines on the use of zero trust. which may affect federal contractors and other organizations.
- Internet of Things (IoT). NIST IR 8425, the IoT Core Baseline Profile for Consumer IoT Products, was published in draft form on June 17, 2022, along with Ideas for the Future of IoT Cybersecurity at NIST: IoT Risk Identification Complexity. IoT security remains a focus of several federal agencies concerned with device security, and NIST and other agencies have been assigned tasks related to consumer communications, security, and privacy that should be of interest to anyone in the IoT space.
- Government contractors should pay close attention to NIST’s work on cyber, including its special publications for federal information systems, as well as its revisions to the SP 800-171 series, including the preliminary draft for comment: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, to which were due for comments on September 16, 2022. We expect that the government’s work on this and related documents will shape what is expected of contractors in areas of system boundaries, data management and related areas.
Perhaps of more critical and more widespread importance, NIST is revising its foundational framework for critical infrastructure cybersecurity, created in 2014 and revised as version 1.1 in 2018. Public comments on the upcoming revamp suggested a variety of avenues, some modest and others transformative. NIST has announced its first NIST Cybersecurity Framework update workshop, “Beginning our Journey to the NIST Cybersecurity Framework 2.0,” to be held virtually on August 17, 2022, with nearly 4,000 participants from 100 countries. Given the fundamental role of the NIST framework in the cyber strategies of many private organizations, major changes should be carefully monitored for potential compliance program adjustments.
Countless other projects are underway at NIST and the National Cybersecurity Center of Excellence (NCCoE) examining practical applications in privacy, network security, digital identity, and other critical parts of organizations’ risk management strategies. NIST and NCCoE staff are approachable and interested in meaningful private input to inform their workflows.
© 2022 Wiley Rein LLP