Key Takeaways:
- The National Institute of Standards and Technology (NIST) has released a preliminary draft of Special Publication 800-82 Revision 4, which updates federal guidance on operational technology (OT) cybersecurity.
- The proposed revision includes expanded guidance for different OT systems, updated guidance on emerging technologies, and a reorganized threat landscape.
- The U.S. Army has retired the Standard Procurement System for the Army (SPS-A) and replaced it with the Army Contract Writing System (ACWS).
- The Office of Management and Budget (OMB) has issued a memorandum directing federal agencies to adopt a risk-based approach to software and hardware security.
- The OMB memo rescinds previous software security policies and emphasizes the importance of secure development principles and comprehensive risk assessments.
Introduction to NIST’s Revision of Special Publication 800-82
The National Institute of Standards and Technology (NIST) has released an initial preliminary draft of Special Publication 800-82 Revision 4, launching a public comment period as part of its effort to update federal guidance on operational technology (OT) cybersecurity. The agency intends to update Special Publication 800-82, or the Guide to Operational Technology (OT) Security, to reflect lessons learned, ensure consistency with related NIST guidance, and account for the evolving OT cybersecurity threat environment. Comments on the planned revision are due February 23.
Proposed Changes to Special Publication 800-82
NIST is considering expanded guidance for different OT systems, including building automation, transit, and maritime systems. The proposed revision would also introduce updated guidance on the use of emerging technologies in OT environments, such as artificial intelligence, machine learning, behavioral anomaly detection, digital twins, Internet of Things, zero-trust architectures, cloud services, edge computing, 5G, and advanced wireless technologies. Additionally, the agency plans to update the OT threat landscape to reflect current vulnerabilities, incidents, standards, and recommended cybersecurity practices, including recent activities in OT cybersecurity and updates to capabilities, tools, and mitigations.
Reorganization of Appendices and Removal of Outdated Content
The proposed update would reorganize several appendices by moving Appendix F, the OT Overlay, into a standalone document and relocating Appendices C, D, and E, which address threats, vulnerabilities, incidents, organizations, research, activities, and security tools, to web-based resources. NIST is also considering removing outdated or no longer relevant content. This reorganization aims to improve the clarity and usability of the guidance, making it easier for organizations to implement effective OT cybersecurity measures.
U.S. Army’s Replacement of Standard Procurement System
The U.S. Army has retired the Standard Procurement System for the Army (SPS-A) and replaced it with the Army Contract Writing System (ACWS). This change is part of the Army’s effort to advance the implementation of a single, enterprisewide platform designed to streamline contract development, management, and execution in support of the service branch’s mission. The transition to ACWS highlights the scale and complexity of the change underway as the Army continues to modernize enterprise systems and processes.
OMB’s Memo on Risk-Based Approach to Software Security
The Office of Management and Budget (OMB) has issued a memorandum directing federal agencies to adopt a risk-based approach to software and hardware security by implementing secure development principles and comprehensive risk assessments. The memo rescinds previous software security policies and emphasizes the importance of secure development principles and comprehensive risk assessments. This change in approach reflects the evolving nature of software and hardware security threats and the need for federal agencies to prioritize risk-based decision-making in their cybersecurity efforts.
Conclusion and Future Directions
In conclusion, the updates to NIST’s Special Publication 800-82, the U.S. Army’s replacement of SPS-A with ACWS, and the OMB’s memo on risk-based approach to software security all reflect the ongoing efforts to improve cybersecurity guidance and practices across the federal government. As the cybersecurity landscape continues to evolve, it is essential for organizations to stay informed about the latest developments and updates to ensure they are equipped to address emerging threats and challenges. By adopting a risk-based approach to cybersecurity and prioritizing secure development principles, federal agencies and organizations can better protect their systems and data from increasingly sophisticated threats.