NIST Publishes Final Cybersecurity Assessment Guidance

The National Institute of Standards and Technology told journalists that it has issued its newest and final copy of guidance for organizations to assess their internal security information technology systems, following a draft copy and comment period. Titled “Assessing Security and Privacy Controls in Information Systems and Organizations,” the document focuses on helping entities manage cybersecurity risks across their individual networks, Nextgov reported Tuesday.

The final draft emphasizes improving organizational assessments of current cybersecurity infrastructure, promoting better cybersecurity awareness among users, enabling cost-effective security assessment procedures and privacy controls, and creating reliable security information for executives.

The guidance stated that “conducting security and privacy control assessments can be difficult, challenging and resource-intensive.” It further states that security and privacy control assessments may be conducted by different organizational entities with distinct oversight responsibilities. However, success requires the cooperation and collaboration of all parties with a vested interest in the organization’s information security or its privacy posture, it was written.

The NIST said in an email to Nextgov that the updated publication provides an assessment approach and related procedures, such as ways to determine if the countermeasures being implemented by an organization are achieving the desired effect. It was explained that three phases are associated with this process, including preparing, conducting and analyzing assessment results to gauge risk.

The Insitute’s officials said they thoroughly reviewed best practices in assessment procedures to determine the effectiveness of the defense software in place.

The guidance concludes by recommending ongoing privacy and security assessments within a given organization.