January 23, 2019

    NIST File Sharing Standards: What You Need to Know

    NIST standards are vital for both federal and nonfederal organizations alike. These guidelines were designed as a set of best practices that, when applied to your data storage and sharing practices, can help you prevent a security breach.

    Learn more about the basics of NIST standards, how these standards are created, and the value of using the best practices in your own file sharing processes.

    So, What is NIST?

    The NIST, or the National Institute of Standards and Technology, is a branch of the United States Commerce Department. The role of NIST is to create and maintain measurement standards by empowering industry and science to develop these standards.

    To put it in simple terms, in the past this group would have decided how much water is actually in a gallon, or how long an inch really is. While these were measurements that were determined a long time ago, NIST has other measurements and standards to establish today – like data security standards, for example.

    NIST, formerly the National Bureau of Standards, has played a role in the federal government since its creation in 1901. One role assigned to the federal government is the protection of a fair and efficient sales. NIST weights and measurements services promote the efficiency for about half of the U.S. economy – more than $8.5 trillion of the GDP.  

    The NIST Framework

    What does all of that have to do with your company’s data security standards? NIST created a set of guidelines to standardize data security practices across all federal and nonfederal organizations that handle sensitive data.

    The NIST Cybersecurity Framework acts as the foundation of an organization's information security processes. The framework consists of five separate functions, with sub-functions under each:

    • Identify

      • Asset Management

      • Business Environment

      • Governance

      • Risk Assessment

      • Risk Management Strategy

      • Supply Chain Risk Management

    • Protect

      • Identity Management and Access Control

      • Awareness and Training

      • Data Security

      • Information Protection Processes and Procedures

      • Maintenance

      • Protective Technology

    • Detect

      • Anomalies and Events

      • Security Continuous Monitoring

      • Detection Processes

    • Respond

      • Response Planning

      • Communications

      • Analysis

      • Mitigation

      • Improvements

    • Recover

      • Recovery Planning

      • Improvements

      • Communication

    In the comprehensive NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 2.0, NIST outlines some specific high-level standards for ensuring these security functions are properly applied to their organization. 

    What Are NIST Standards?

    NIST Identified Standards list was created as a “reference for standards recommended for achieving interoperability of smart grid devices and systems,” and is an important portion of the NIST cybersecurity framework.

    So, what do the NIST standards look like today? The most recent version of the NIST Identified Standards includes 37 protocols and model standards. These standards focused on smart grid standards for specific industries. For example, one standard is applied to “time management and clock synchronization across the Smart Grid for equipment needing consistent time management.” Another “defines phasor measurement unit (PMU) performance specifications and communications for synchrophasor data.”

    To supplement these standards, NIST also drafted 61 items that are "Additional Standards, Specifications, Profiles, Requirements, Guidelines, and Reports for Further Review." These provide further guides for companies that may have specific needs.

    SGIP Catalog of Standards

    Now that we’ve outlined what NIST standards are, it’s important to note that NIST Identified Standards are closely related to the SGIP’s Catalog of Standards. SGIP standards are maintained by the Smart Grid Interoperability Panel, while the Identified Standards list is maintained by NIST.

    These two standards guides are similar, though they serve different purposes when it comes to promoting data security. The Identified Standards list is the NIST reference for exchanging and using information between smart grid devices and systems. The SGIP Catalog of Standards, on the other hand, focuses on the development and implementation of an interoperable smart grid, and provides more in-depth recommendations for organizations.

    Let’s take a closer look at SGIP Standards and the role they play in cybersecurity.

    While NIST Identified Standards offer high-level, broad cybersecurity regulations, the SGIP Catalog of Standards is a comprehensive list of standards, offering in-depth recommendations on how to ensure information is protected via the smart grid. In fact, you can think of it as an encyclopedia of smart grid standards.

    The SGIP, the body responsible for compiling these standards was created by the NIST to help with the creation of smart grid security standards in 2009. As part of this objective, SGIP brought stakeholders together from the public and private sectors to offer input on how best to maintain an interoperable smart grid.

    The structure of the Catalog of Standards is relatively straightforward. The standard is summarized, the purpose of the standard and its key elements are explained, and any comments are included. The goal of the catalog is to provide enough information for a reader to determine if each guideline would apply to their business or application.

    The catalog was most recently updated in 2017, and with the number of standards increasing to 81. Because technology is constantly developing, the SGIP Catalog of Standards is constantly developing, too. When the catalog was first established, it included only six standards. As of June 2013, there were 56. SGIP has an ongoing process for updating the standards, using recommendations from SHIP's Priority Action Plans (PAPs), Domain Expert Working Groups (DEWGs), Standing Committees, and Working Groups.

    Updates are not limited to the SGIP Catalog of Standards alone. As NIST standards are updated in the future, SGIP, a body of panel of public and private stakeholders, will have input regarding what the updates should be included in NIST standards.

    Complying with NIST Standards

    Knowing about applicable cybersecurity standards is only the first step. You must comply with NIST standards to ensure you’re in alignment with government-approved best practices. And, that can go a long way toward ensure you’re compliant with other important standards, like HIPAA, ITAR, DFARS, PCI-DSS and more.

    When it comes to NIST standards, there are two other publications you should know more about:

    • NIST SP 800-53 – This publication offers guidelines on security controls that federal information systems should employ.

    • NIST SP 800-171 – This publication, released in 2015, offers guidance on how to protect controlled unclassified information (CUI) that is stored or transferred on nonfederal information systems.

    As you delve into the specific identified standards outlined by NIST, you might find yourself overwhelmed by the number of steps you must take to align with these best practices. And, a lack of alignment could lead to serious consequences, like a costly data breach.

    The best way to ensure you align with NIST standards is to choose third-party file sharing solution with the proper security controls built into their solution. A top solution like Sharetru’s GOVFTP platform uses the NIST framework to ensure every client has the government-level protection needed to keep data out of unauthorized hands. Ensure your data is adequately protected with a secure file sharing solution that lives up to NIST standards.

    Learn more about how Sharetru helps you align with government cybersecurity standards

     

    Tag(s):

    Martin Horan

    Martin, Sharetru's Founder, brings deep expertise in secure file transfer and IT, driving market niche success through quality IT services.

    Other posts you might be interested in

    View All Posts