Origins of the NIST cybersecurity framework, encryption standardsDate: Jan 17, 2014
There's little doubt that 2013 was a trying year for the National Institute of Standards and Technology (NIST), the non-regulatory federal agency tasked with maintaining a variety of technological standards, including those affecting information security.
First, President Barack H. Obama tasked NIST with creating a cybersecurity framework for the United States, then leaks from former National Security Agency contractor Edward Snowden revealed that NIST's encryption standards may have been compromised by the NSA. On top of all that, a government shutdown closed down NIST operations for several weeks. Public scrutiny of NIST has never been more intense, but according to Karen Scarfone, principal consultant at Scarfone Cybersecurity and a contributor to numerous NIST standards, the agency has "bent over backwards" to accommodate public input on its security publications.
In this video interview, recorded at Information Security Decisions 2013, Scarfone explains how NIST formulates its standards via a public, thorough vetting process. Scarfone herself attended a conference on the NIST cybersecurity framework in San Diego and was impressed by the extent to which the public shaped the process. Though not involved directly with NIST's encryption standards, she said those processes were subject to open scrutiny as well. Scarfone also details just how the NIST cybersecurity framework may affect the security measures in place at enterprises around the U.S.