The National Institute of Standards and Technology will recommend that agencies better manage cybersecurity priorities through an enterprisewide strategy, said Ron Ross, a NIST computer scientist.

NIST will publish a three-tiered approach to risk management in a revised edition of special publication 800-39, due for public release in early November, Ross added while speaking during a panel hosted by CyberSecurity Seminars in Washington, D.C. on Oct. 5.

Continuous monitoring will be little help if the government doesn't consider systems as part of an greater whole, he said. But most cyber security professionals are not focused on organization or mission processes, he added. "I would argue that most of our work, to this day, is at the system level. We're under the hood and taking the engine apart and we're chasing constant numbers of increasing vulnerabilities."

"Most of our systems kind of grow uncontrolled," added Ross. "There's not a lot of thought in the enterprise-wide risk management strategy that every organization needs to consider."

But matters are only going to get more complex. Hence the need for a three-tiered risk management concept with governance at the apex, Ross said. It's at the governance layer that agencies should determine a risk management strategy for the entire enterprise, he added.

According to Ross, a good enterprise architecture, a requirement of the second tier, will guide where to most efficiently and effectively deploy counter measures and security controls into that environment of operations.

Along with a revised SP 800-39, NIST will publish a new continuous monitoring guideline, SP 800-137, and a new risk management guideline, SP 800-30, Ross said.

Related Articles:
A merging of civilian and national security system cybersecurity underway
NIST encourages agencies to adopt SCAP
NIST promotes common cybersecurity controls