Please, Just Tell Me What to Do
Building Cloud Products for Federal Agencies – Using NIST to Shift Compliance Left
Vendors and Consultants working with Federal Agencies are required to establish secure products and services as tagged to their associated commonly defined security controls (outcomes) and do so using a Cybersecurity Framework mapped to address common cybersecurity-related responsibilities. The most common set of categorized outcomes (a.k.a. Control Families or Control Objectives) is the security controls in NIST SP 800-53 Rev. 5[i], Security and Privacy Controls for Federal Information Systems and Organizations.
The National Institute of Standards and Technology (NIST) is part of the U.S. Department of Commerce, established by Congress to remove significant challenges to U.S. industrial competitiveness. Its charter supports the development of industry-led cybersecurity standards and best practices for critical infrastructure. The correct implementation of these standards is required by law, specifically by the Cybersecurity Enhancement Act of 2014 (Public Law 113-274) [ii]. All of NIST adheres to a process of risk management, known as the risk management framework (RMF).
NIST Risk Management Framework (RMF) refers to the risk-based methodology used to implement NIST products for guidance and assessments.
“The Risk Management Framework provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The risk-based approach to control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. Managing organizational risk is paramount to effective information security and privacy programs; the RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector.” [iii]
The NIST Special Publication 800-53 is not an old standard, though it's had nearly seventeen years to mature and adapt to the cyber threat and supply chain landscape. As Government requirements change, so has the combination of critical resources to help meet those challenges.
Government Contractors and Service Providers must comply with NIST
All United States government acquisitions, contracts, products, materials, and cloud solutions are controlled under the Federal Acquisition Regulation (FAR). FAR is a set of rules governing US federal government procurement, codified at Chapter 1 of Title 48 of the Code of Federal Regulations, 48 CFR 1. FAR covers many of the United States military and NASA's contracts and US civilian federal agencies.
NIST, as an agency, provides resources used to guide and assess the development and operation of all technology such that it suits all applicable government requirements. The Federal Acquisition Regulation (FAR) states:
In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements, including using standard security configurations available from the National Institute of Standards and Technology’s website at http://checklists.nist.gov. Agency contracting officers should consult with the required official to incorporate the appropriate standards. [iv]
This means the level of compliance any entity would be required to implement is factored by the size and complexity of its technology and the controls available to manage its offering. NIST is responsible for that overarching process to determine which standards and at what level any company would reasonably implement guidance to satisfy rules such as those created by FAR and DFARS.