Comments Sought On NIST Cyber Threat Sharing Guide

The Department of Commerce’s National Institute of Standards and Technology (NIST) drafted a guide on cyber threat information sharing and is seeking comments through Nov. 28. With the guide, NIST hopes to help show organizations the key practices they need to consider when planning, implementing and maintaining information sharing relationships.

“By sharing cyber threat information, organizations can gain valuable insights about their adversaries,” said lead author Christopher Johnson. “They can learn the types of systems and information being targeted, the techniques used to gain access and indicators of compromise. Organizations can use this information to prioritize defensive strategies including patching vulnerabilities, implementing configuration changes and enhancing monitoring capabilities.”

The executive summary in The Guide to Cyber Threat Information Sharing said the draft explores the benefits and challenges of coordination and sharing information and presents the strengths and weaknesses of various information sharing architectures. The guide also clarifies the importance of trust and introduces specific data handling considerations.

“The goal of the publication is to provide guidance that improves the efficiency and effectiveness of defensive cyber operations and incident response activities, by introducing safe and effective information sharing practices, examining the value of standard data formats and transport protocols to foster greater interoperability, and providing guidance on the planning, implementation, and maintenance of information sharing programs,” the guide said.

This is important to healthcare facilities because the guide also discusses how organizations should perform an inventory that catalogues the information an organization currently possesses, the information that it is capable of producing, and document the circumstances under which this information may be shared.

Specifically, an information inventory helps an organization gain a better understanding of where its critical data resides, who owns it, how must it be protected, and when it can be shared. The following factors need to be considered when an organization decides the incident-related information to be shared with other agencies:

“Through sharing, an organization benefits from the collective resources, capabilities, and knowledge of its sharing peers,” the guide explained. “When sharing threat intelligence, organizations have the opportunity to learn from each other; gain a more complete understanding of an adversary’s tactics, techniques, and procedures; craft effective strategies to protect systems; and take action, either independently or collectively (i.e., as a sharing community) to address known threats.”

The guide also highlighted the implementation of security controls as being necessary to protect sensitive information. For healthcare, this is when an organization deploys administrative, technical, and physical safeguards to protect patients’ PHI.

“Organizations should maintain an ongoing awareness of information security, existing vulnerabilities, and threats in the operational environment to support organizational risk management decisions,” the guide said.

At the beginning of this year, NIST released its final voluntary cybersecurity framework. That framework was created as a roadmap that various organizations can use each of the Framework components (the Framework Core, Profiles, and Tiers) to remind users of the link between business drivers and cybersecurity activities. It also offered guidance regarding privacy and civil liberties considerations that may result from cybersecurity activities.