CYBER SECURITY STANDARDS

KAREN SCARFONE, DAN BENIGNI, AND TIM GRANCE

National Institute of Standards and Technology, Gaithersburg, Maryland

1 INTRODUCTION

The International Organization for Standardization (ISO) defines a standard as “a document, established by consensus and approved by a recognized body, that provides, for common and repeated use, rules, guidelines, or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context” [1]. Numerous standards have been developed for cyber security to help organizations better manage security risk, implement security controls that meet legal and regulatory requirements, and achieve performance and cost benefits. This article provides an overview of cyber security standards in general and highlights some of the major ongoing international, regional, national, industry, and government standards efforts. It also discusses the advantages of having standards and explains how organizations can participate in standards research and development.

2 CYBER SECURITY STANDARDS OVERVIEW

Cyber security standards are proliferating. Governments and businesses increasingly mandate their implementation. More manufacturers and vendors are building and selling standards-compliant products and services. In addition, a growing number of organizations are becoming involved in standards development. Cyber security standards are being embraced because they are useful. They provide tangible benefits ...