Executive orders, frameworks, and acts of Congress tell agencies what their cybersecurity goals should be, but generally leave implementation details to other entities. The National Cybersecurity Center of Excellence (NCCoE), a component of the Commerce Department’s National Institute of Standards and Technology (NIST), fills that need — developing actionable, standards-based guidance that helps agencies turn cyber concepts into reality.
Cheri Pascoe, NCCoE Director since last August, reflected on the center’s strengths, challenges and 2024 priorities.
Strength: Collaborative Model
“We describe ourselves as a collaborative hub, an applied cybersecurity laboratory,” Pascoe said, where NIST cybersecurity experts partner with industry, academia and other government entities to tailor standards to the needs of specific sectors. The NCCoE guidance shows agencies how to adapt commercially available technology for their own purposes.
“We work with [our partners] hand in glove, or hands on keyboard,” she explained. Once NCCoE decides to start a project, one or two NIST staff will team up with four or five of the center’s contract staff, and then 15 to 20 collaborators from across industry and government also sign on, she said.
“You’re basically taking one or two staff and turning [the project] into a large group of people,” Pascoe added. “That kind of combination of expertise in both standards and technology is very rare, and so we’re able to do some really cool things.”
Although each group focuses on solving a single cybersecurity challenge, NCCoE’s collaborative model also fosters product improvements and personal relationships.
Other governments may offer informal feedback on projects under development. And beyond project-specific work, NCCoE meets regularly with an industry advisory group to discuss current challenges and anticipate future concerns; maintains various communities of practice; and engages in local outreach.
Challenge: Prioritizing Issues
The greatest NCCoE difficulty, and one that Pascoe aims to address in 2024, is deciding which issues to pursue. “It can take a year to develop a consortium, [and] it can take a couple of years to develop guidance,” she said. “So really the biggest challenge is making sure that we can identify what challenges are coming … so that we’re ready with guidance at the right time.”
And faced with a limited budget and a vast number of cybersecurity issues, the center must develop guidance with broad potential. “Sometimes that’s hard because we’ll have different sectors come to us and say, ‘This is a really big challenge for [us],’ but it’s not … applicable to other sectors, [so the center] might have to decline taking on that project,” she said.
Created roughly 10 years ago, NCCoE has ended projects midstream when collaborators realized that pending guidance would have limited impact. “We really do have to be flexible in pivoting as we delve deeper into an issue, making sure we’re addressing the right needs,” noted Pascoe.
2024 Projects
Of course, some NCCoE projects are rather pre-ordained. The center in 2024 will help specific sectors implement the NIST cybersecurity frameworks, including helping agencies transition from the initial NIST Cybersecurity Framework to the 2.0 iteration scheduled for release in February.
NCCoE also will continue its effort to help organizations develop secure software, as called for by the National Cybersecurity Strategy. At this stage, the center is working with global software development organizations to break down how agencies can implement the NIST Secure Software Development Framework.
And for the past five years, the center has been working with more than 20 vendors to build zero-trust architectures for its own systems. Currently, NCCoE is sharing its more than 1,000-page internal guidance with fellow agencies, Pascoe said.
But NIST is one of the world’s top agencies for developing encryption standards, she noted, and so NCCoE in 2024 will prioritize helping agencies transition to new NIST cryptography standards. That will help agencies prepare for the potentially devastating threat of quantum computers.
“We’re identifying tools to help organizations identify where there’s vulnerable cryptography,” said Pascoe, “and then help them make risk-based decisions about what you replace first.”
NCCoE also will dig more deeply into supply chain security. “It’s difficult enough to oversee the security of your own organization, let alone somebody else’s,” she said. “Over the last couple of years, [people] have really started to gain some recognition of just how important that issue is.”
The center will continue its artificial intelligence and ransomware initiatives, among others. And because organizations asked NCCoE for help regarding data use and security, the center will advance its new project, launched in 2023, on data file applications.
“We’re always listening and trying to really see the true challenges organizations are facing and see if we have the right expertise to … spin up a consortium to tackle [them],” Pascoe explained. “Cybersecurity is not just an IT issue, it’s a business issue. It’s a concern that needs to be addressed throughout [an] organization, at multiple levels.”
NCCoE invites people from different backgrounds and disciplines to participate in its work by commenting on NCCoE resources and joining its communities of interest (COIs), among other options. Further details, including draft and final NCCoE publications, an events calendar, and a COI sign-up form, are available at www.nccoe.nist.gov. Technical expertise is not required.
This article appeared in our guide, “The 2024 Cyber Agenda.” To learn more on the cyber outlook for the coming year, download it here:
Leave a Reply
You must be logged in to post a comment.