The National Institute of Standards and Technology (NIST) has issued a new set of guidelines for non classified data at civilian agencies, but experts say it falls short of what's needed to protect all government systems.

The Cyber Secure Institute said NIST leaves out federal systems that are rated as low-or-moderate-impact targets. It said the guidelines do not recognize that attacks at low-impact agencies are coming from high-skilled adversaries, too.

"So called high-end threats are now the norm not the exception," CSI said in a report. "Federal and private sector IT professionals increasingly report that the attacks they confront on a regular basis are from highly skilled, highly motivated and well-resourced actors--ranging from the Russian mob, to the Chinese military, to organized cyber-criminals."

Ron Ross, a senior computer scientist and information security researcher at NIST, said there has been confusion over NIST's guidelines. He believes individual agencies must tailor guidelines to their needs, opting for more secure ones if needed.

Federal agencies are required to categorize their own systems, and high-impact systems would be those that have a "severe, catastrophic effect" if they are lost, Ross said. "Those baselines [in the NIST recommendations] are minimum starting points for agencies."

For more on cybersecurity standards needed for federal agencies:
- check out this CIO.com article

Related Articles:
NIST proposes computer security plan
NIST works on new cybersecurity rules 
NIST seeks a national smartgrid
NIST revising guidelines for PIV testing