The National Institute of Standards and Technology (NIST) is updating its Cybersecurity Framework, as we reported in a previous post. Designed to provide a “prioritized, flexible, repeatable, performance-based and cost-effective approach” to managing cybersecurity, the framework has seen broad adoption by organizations worldwide.
NIST issued a draft of version 2.0 in January 2017, incorporating feedback received since the original framework’s publication in February 2014. Version 2.0 offers further guidance on reducing cybersecurity risks, provides tools for cyber supply chain risk management, and clarifies and expands the section on access controls to incorporate identity and access management (IAM) concepts and best practices.
While we applaud NIST’s increased emphasis on IAM in the Cybersecurity Framework, we believe version 2.0 could go further to address the risks associated with digital identities, particularly privileged accounts. However, it seems that NIST has also been busy updating its “Electronic Authentication Guidelines” to reflect dramatic changes in the industry since the document was last revised in 2013. Also known as Special Publication (SP) 800-63, the document is designed to help government agencies assess and mitigate identity-related risks.
Version 3 of SP 800-63 is now called “Digital Identity Guidelines” and comprises a suite of documents covering identity management from initial risk assessment to deployment of federated identity solutions. SP 800-63-3 provides a general overview, while SP 800-63A, 800-63B and 800-63C drill down into various components of IAM, as follows:
Traditionally, NIST will issue an update to a publication or standard, accept comments for a prescribed period of time, revise the publication or standard based on those comments, then release the final version. With SP 800-63-3, however, NIST released the draft document on GitHub and collaborated with stakeholders throughout the summer of 2016. More than 74,000 unique visitors came to the site, and contributors submitted more than 1,400 comments. NIST plans to continue the process by engaging with stakeholders to fine-tune the guidance and share lessons learned.
Like the NIST Cybersecurity Framework, SP 800-63 is aimed at federal agencies but can provide value to organizations of all sizes and in every industry sector. Any organization that is looking to improve its IAM systems and processes will be well-served by reviewing the free guidance offered by the experts at NIST.
For more information about the NIST Cybersecurity Framework, please send us an email at (firstname.lastname@example.org).