Policy Analysis 1
Spencer Foulk
Professor Demirel
CYSE 425W
January 26, 2024
National Institute of standards and technology
When searching for a cybersecurity policy, it can be difficult due to the wide variety of policies and rule sets that they hope to justify. I considered a multitude of Cyber related policies including the BYOD (bring your own device policy), NSP (network security policy), and the SMP (social media policy). These policies supplied insights and regulations about what they bring to the table and about why they would be useful given a certain situation. I decided to go with a different policy, known as the NIST (National Institution of Standards and Technology), due to its guidelines and effectiveness. My second point of reasoning for choosing this policy has to do with its relation to risk management, which I minor in, since they both have a common goal of mitigating risks.
Moving onto the more technical details, development of the NIST framework began a while back under the executive order 13636. This order was for improving cyber related critical infrastructure and it was issued by Barrack Obama back in 2013. The order put attention on recent criminal activities and threats to security. These threats included banking, healthcare, records, and other forms of confidential information. Due to the potential vulnerability of the technology at the time, and the risks that could result, a call to action was made in attempt to correct the current issues at hand. This is where the NIST was called in for help with the situation.
As a bit of briefing on how the framework policy works, they are reached out to by organizations to assess and improve on their current infrastructure. These abilities include preventing, detecting, and responding on Cyber related incidents. A perfect example of this would be the investigation of the Tornado in Joplin, Missouri that took place in May 22,2011. The NIST was called to the scene to supply a technical observation of the events and how they occurred. They were also there to analyze and report on ways to reduce and mitigate the amount of damage that occurred after the events of the tornado. Another example exists where the NIST was called out for building and fire research. This was necessary to explore diverse ways of fire prevention to reduce risk factors.
This is an important policy that heavily correlates to Cybersecurity due to the security, research, and risk prevention. This policy, alongside Cybersecurity, is useful when doing research on vulnerability penetration that took place by a Cybercriminal, risk assessment when viewing source code for possible 0-day vulnerabilities and instances of security flaws, and proper responses that one should take when dealing with a present attack. This policy has been adopted by much of the US and looks to grow even further with support and secondary users in the future.
To conclude, the NIST Framework policy is a well-designed policy that has proven its usefulness. It provides companies and organizations with a contrary way of insight when viewing certain problems. The creation of this policy was to respond to security concerns that threatened confidential infrastructure and information and it has delivered handsomely in response to such threats and events.
References
Lewis, James,” NSIT Cybersecurity Framework,” Csis.org, Published (April 16, 2014) –
Wright, Richard,” Building and Fire Research at NBS/NIST, 1975-2000”, Govinfo.gov, Published (1975-
2000) – https://www.govinfo.gov/app/details/GOVPUB-C13-PURL-LPS52192
Kuligowski, Erica,” Final Report, National Institute of Standards of Technology (NIST): Technical
Investigation of the May 22, 2011, Tornado in Joplin, Missouri”, govinfo.gov, Published/Issued (2014) –
Policy Analysis 2
Spencer Foulk
Professor Demirel
CYSE 425W
April 12, 2024
NIST Political Implications
When it comes to the National Institution of Standards and Technology (NIST) there have been quite a few political implications over the years. In this paper I will be going over those implications while also describing the effects that they have had on the institution and its area of coverage. One of the first strategical moves that the NIST has opted to improve has to do with the elections and voting systems. Due to ever evolving threat to confidential information and security as we know it, the NIST has,” released draft guidelines that provide a road map to help local election officials prepare for and respond to cyber threats that could affect elections” (Boutin 2021). The draft to the left, which was released by the NIST framework, was in response to countless errors and security concerns that took place during earlier elections. While this serves only as a recommendation from the framework itself, I find it to be an extremely beneficial system of election given the in-person scans, mail in ballots, support for voter registration databases, as well as the communication between voting tallies. Political figures have given a positive regard to the framework while also incorporating it into \
parts of the world that struggle to support cyber confidentiality. There is no surprise that it has managed to receive beneficial ramifications given its structure and use case. While the voting guideline for future elections proved to be a beneficial structure from the policy, there is another implication that had similar efforts.
September Eleven is a day that must never be forgotten. As mentioned, it was,” one of the worst building disasters in US history, killing two thousand seven hundred forty-nine people, including four hundred emergency responders” (NIST). The NIST was tasked with conducting a federal investigation of the situation to figure out how the building collapsed on top of other concerns. The ramifications of this order by Congress contributed to helping efforts from the framework along with recommendations that would be useful given the situation. The NIST released over forty-three reports, set up a Public Safety Communications Research Division, and set up a National Fire Research Laboratory which were all positive ramifications as countermeasures for future events. The NIST framework has done a lot to help with situations that occurred after the disaster but that is not the only thing that they have done.
The framework has also listed a numerous amount of framework related efforts. Some of these areas of related efforts include authentication, automated indicator sharing, conformity assessment, etc. All are” critical areas found by stakeholders that should inform future versions of the Framework (NIST). The stakeholders and policy makers named these issues in the hope that they would be considered with the highest regard, which will require continuous focus and extensive research given their evolving nature. As said, they have addressed the policy based on their earlier work with other situations which lead them to trust the institution as a quality go to for the concerns that they had. It proved to be beneficial as well since job openings and research of the mentioned framework and related efforts have been underway like data analytics for example which has had a plethora of occupation listings on sites like handshake and LinkedIn that I have seen.
The NIST framework has proved to be a crucial policy for all things cyber and security related and continues to be a strong backbone for political figures and stakeholders to look to for support. Whether it be the guideline that they presented with the effort of benefiting the elections, the reports, and recommendations that they listed in light of the nine eleven disasters, or the efforts that the framework has worked on, it has shown to be positive and upstanding regarding its ramifications and political implications.
References
Boutin, Chad. “To Help Protect Our Elections, NIST Offers Specific Cybersecurity Guidelines.”
NIST.gov, Published (March 29,2021) – https://www.nist.gov/news-events/news/2021/03/help-protect-our-elections-nist-offers-specific-cybersecurity-guidelines
“World Trade Center Investigation.” NIST.gov, –
“Framework – Related Efforts.” NIST.gov, Published (February 6, 2018), Updated (October 18,
2019) – https://www.nist.gov/cyberframework/related-efforts-roadmap
Policy Analysis 3
Spencer Foulk
Professor Demirel
CYSE 425W
January 26, 2024
NIST Ethical Implications
When it comes to the NIST framework, there are a great deal of considerations that must be considered before a certain type of policy is changed based on newer developments, a policy is added to a list of concurrent and on-going policies, and so forth. Implementing something new is no straightforward process as it must be considered by more than one person to ensure that it will be a powerful addition or change. This is where the ethnic standpoints of the framework come into play as it is no effortless process to decide what is best for the list given its standing and level of upholding. Many say that the framework could be better implemented or that it is not serving up to its full potential, but there are still a worthy number of benefits to gain from said framework.
The NIST framework has a wide variety of benefits that are useful towards cooperations that are looking for extra security and support as well as everyday citizens that are looking for a guide that will support their day-to-day lifestyle to encourage positive cyber hygiene. For example, the framework offers,” a common language and systematic methodology for managing cybersecurity risk,” and it has been designed to,” complement, not replace, an organization’s cybersecurity program and risk management processes.” The language and systematic method allow for the framework to incorporate their cyber tactics and security measures with the cooperation with which they are working. It also allows for the existing guidelines and factors of the company to remain intact since it is meant to function as a complement compared to a replacement of the original process. This is all a net positive, but one of the downsides for most might be the cost since,” on average, companies spend between $5,000 and $20,000 for the audit and assessment process specific to the different NIST frameworks.” While this price may be a downside for most beginning companies, it is worth noting that the framework is heavily backed and suitable for tasks related to such security practices. There is another reason the framework should be considered that has to do with the individual rights that are protected and limited.
Due to the size and grand scheme of the NIST framework, it is understood that certain things are allowed and approved while there are other things that are still limited and sometimes unallowed. While the NIST framework is open and flexible to a numerous amount of use cases for its context of use for example, it does not mean that everything flies. For example, the context of use policy for the framework is allowed but limited to everything outside of, statistical analysis, eligibility for benefits, administration of benefits, research, tax administration, and law enforcement. Rights outside of the context of use mentioned above are limited since they do not meet the criteria for the context of use, however there are rights that are protected in other areas of the framework that are worth mentioning. One right includes collection limitation which says that there should be limits on the collection of personal data and that such information should be obtained by lawful and fair means. There is a second that relates to use limitation which says that” Personal data should not be disclosed, made available or otherwise used for purposes other than those specified, except with the consent of the data subject or by the authority of law.”
The NIST framework has a positive view of ethnic benefits that look to help the user for the better and longevity of it all. Whether it be the benefits that the policy provides, the rights that are protected for individuals, or the rights that can sometimes be limited based on certain use cases, the framework holds up to be a reliable service for those that seek protection, privacy, and guidelines in order to maintain cyber hygiene.
References
“Uses and Benefits of the Framework,” NIST.gov, Published February 6, 2018, Updated February 26,
2024 – https://www.nist.gov/cyberframework/uses-and-benefits-framework
Gracy, Meeba. “Getting NIST Certified: 7 Key Steps to Becoming NIST Compliant” Sprinto.com,
Published April 03, 2024 – https://sprinto.com/blog/nist-certification/#:~:text=The%20NIST%20certification%20cost%20varies,to%20the%20different%20NIST%20frameworks.
McCallister, Erika, Grance, Tim, Scarfone, Karen. “Guide to Protecting the Confidentiality of personally.
Identifiable Information” Nvlpubs.nist.gov, Published April 2010 – https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-122.pdf
Arias, Andrea. “The MIST Cybersecurity Framework and the FTC,” Ftc.gov, Published August 31, 2016
– https://www.ftc.gov/business-guidance/blog/2016/08/nist-cybersecurity-framework-and-ftc
Policy Analysis 4
Spencer Foulk
Professor Demirel
CYSE 425W
April 19, 2024
NIST Social Implications
As is known, The NIST framework is a wonderful go to when looking for advice and consultation about how to keep good cyber hygiene, however we have yet to talk on the social implications and upbringing of the framework. What factors lead to the development of the framework? What types of social consequences exist within the framework? How does culture play into the workings of the framework? Questions like such will be answered to address the social aspects of the policy to gain a better understanding.
The framework was developed February 12, 2013, as an executive order by Barack Obama titled order 13636. This order was put into effect and,” requested the framework be developed with support from industry and academia and published within one-year of the Executive Order’s signing.” This was done to create a policy that would protect the country from unwanted threats. Ever since this point in time the framework has continuously been updated and adjusted respectfully to fit with the current standard of things. This would not have been possible without the contributions from stakeholders in government standings, industries, and academia. It is also worth mentioning that they,” used a Request for Information (RFI) and Request for Comment (RFC), as well as extensive outreach and five workshops around the country.” This allowed them to find, specify, and develop the necessary means to bring the policy together whole fully.
While the development of the NIST framework is a staple in time, it would be immoral to right it off as a one hundred percent stable policy since,” research data have become widely recognized as a critical national and global resource, and the risks of losing or mismanaging research data can have severe economic and social consequences.” This can lead to social consequences that introduce discrepancies and inconsistencies in data that can be devastating eventually. Artificial intelligence has been on the rise and serves as the main culprit of the situation. Guaranteeing that information can be trusted and verified is mandatory for such a policy that relies heavily on it which is why they implemented a multi stakeholder project to develop a strategy for the integrity of research data. While the social consequences can be high and devastating there is a second reason they have been supported over the years.
The cultural influence and practices that the framework upholds are useful to remove stressful situations and inefficient working conditions or processes. Three unique ways that the framework hopes to conduct a culture of security include stopping risky behavior, encouraging less risky behavior, and turning employees into sentinels. By stopping risky behavior, employees are better suited when dealing with situations that could lead to negative outcomes. By encouraging less risky behavior, employees are then encouraged and motivated to take a second thought on whether an action could cause something unwanted. Lastly, turning employees into sentinels hopes to train employees to a point where they react off instinct when it comes to a harmful cyber related situation. These company cultural influences have shaped the employees into well regarded cyber intellectuals that are able to work and respond at a moment’s notice to ensure the policies stand.
The social implications of the NIST framework are crucial as both a structure to the policy and a guideline for future projects down the road. The cultural properties that have shaped the employees for the benefit of the policy, social factors that contributed to the development of the policy during its beginnings, and the creation of strategies to prevent social consequences have been key moments to ensure integrity, confidentiality, and security.
References
Paulsen, Celia. “Creating a Culture of Security” Nist.gov, Published September 28, 2020 –
“Research Data Framework”, Nist.gov, Published November 2, 2020, updated March 1, 2024 –
“History and Creation of the CSF 1.1”, Nist.gov, Published February 8, 2018, Updated February 26,
2024 – https://www.nist.gov/cyberframework/history-and-creation-framework
Policy Analysis 5
Spencer Foulk
Professor Demirel
CYSE 425W
April 20, 2024
How would I assess the NIST framework?
During my time in this class, I have had a great amount of time to research, develop, and influence my understanding of a policy based on my choosing. The policy that I decided on was the National Institution of Technology that strives to increase its understanding and protection of cyber related efforts. I have touched on the political, social, and ethical aspects of the subject and I have also explained what each of them aim to provide in support of the framework itself. My main journey throughout this course has been to explain and understand this policy to bypass the surface level knowledge, but I have yet to give my own opinion and assess the policy’s nature. To assess the National Institution of Technologies effectiveness I will touch on my assessment of the policy, others assessment on the policy, how these assessments lead to other implications, and whether I believe that the assessment would be a success.
To start I will be using other examples, recommendations, and assessments of the framework to give some background before providing my own. A good starting ground for assessing the framework would be to look at its second revision of the NIST cybersecurity framework. This received a wide variety of positive reception from brilliant leaders and representatives like Micheal Gregg, the CISO of the State of North Dakota, who said that,” One of the things that most excites me about the new framework is the addition of the ‘govern’ function,” and Stacy O’ Mara, a government strategy, Policy, and Mandiant, who said that,” Mandiant is pleased to see the draft version of NIST’s CSF 2.0, particularly the greater emphasis on governance and cybersecurity risk management and the implementation examples provided at the subcategory level,” but their was also negative or recommendatory reception. For example, Gina Yacone, an information security lead, said that These prescriptive frameworks require practitioners to review their policies annually, but the frameworks we are guided by do not undergo regular updates and many times are outdated by technology advancements.” A second example exists with Bud Broomhead, a CEO at Viakoo, who said that the,” NIST’s update should also push more organizations to work with managed service providers on their cyber hygiene and cybersecurity governance,” as a recommendation.
The second revision of the NIST framework was met with positive reception and recommendations. Micheal Gregg and Stacy O hara had nothing but good things to say about the framework and how it would aim to help their area of work. Gina Yacone and Bud Broomhead had recommendatory things to say about the framework rather than anything negative. As far as their recommendations towards the framework, I believe that they are right in recommending a front end for my reception towards the framework as well as pushing for more organizations to work with service providers that are on their cyber governance and positive hygiene list. Doing so would allow for little to no error overall for corporations that use recommendations off the list compared to ones that don’t, which could lead to them receiving unwanted issues. It would also allow them to receive. It would also allow them to receive a wider range of reception from other sources that they could implement and receive feedback on. Both recommendations would be a net benefit for the framework and serve as net positives, respectively. They would also lead to an added policy implication down the road that would be added onto to the framework since the NIST stives for perfection and coherence with their framework.
As far as my assessment of the policy is concerned, based on the reports of the second revision of the framework and the development, I would say that it is a beneficial and necessary part of cyber security in its present and soon to be future state. The framework has held up dutifully since its creation back in February of 2013 and its use case in controversial scenarios like nine eleven for the identification of blood samples. It has also helped up well ethically and socially with positive reception from both ends since it is constantly evolving to adjust itself with the current point in history. The framework keeps an up-to-date list with ongoing support and recommendations for cyber hygiene and organizational guideline referrals.
The NIST framework continues to push out new interesting, perceptive, and bright ideas related to cyber related efforts and security. It has been met with a positive reception along with recommendations that would be useful to make it a full proof guide to base an organization off. The pollical standings have been beneficial due to the release of draft guidelines and aid during the events of nine eleven. The ethical standings have been met with a high regard since the NIST is flexible in the way that it is able to work and cooperate with companies and organizations. This leaves the social aspects which have been met with positivity and future recommendations from individuals that want to push for a perfectionate framework guideline. Whether it be the social, political, or ethical benefits, that were mentioned previously, each one shows the strength, longevity, and endurance that the National Institution of Technology has and continues to support.
References
Boutin, Chad,” NIST Releases Version 2.0 of Landmark Cybersecurity Framework,” Nist.gov,
Published February 26, 2024, Updated February 27, 2024 – https://www.nist.gov/news-events/news/2024/02/nist-releases-version-20-landmark-cybersecurity-framework
Sivesind, Cam,” Security Experts Assess 2.0 Draft of NIST Cybersecurity Framework,”
Secureworld.io, Published August 23, 2023 – https://www.secureworld.io/industry-news/cybersecurity-experts-nist-2.0-framework
Bresnahan, Ethan. “What Are the Benefits of the NIST Cybersecurity Framework?” Cybersaint.io, –
Dentel W, Christopher. “Evaluation of the CPSC’s NIST Cybersecurity Framework
Implementation,” Oversight.gov, Published January 18, 2022 – https://www.oversight.gov/sites/default/files/oig-reports/CPSC/Evaluation-CPSCs-NIST-Cybersecurity-Framework-Implementation.pdf