Get Started

NIST Cybersecurity Resources During the Shutdown

  • 4 min read

Share this post

NIST Cybersecurity Shutdown
Grant National Memorial and NIST Cybersecurity Resources during the shutdown. REUTERS/Mike Segar

They did what?

During the government shutdown, which has now gone on for over two weeks, the clever folks at the National Institute of Standards and Technology (NIST) took down many of the resources that the cybersecurity community relies on to help protect society.

The NIST Cybersecurity department has indispensable frameworks and other tools that cybersecurity professionals use every day. These resources have been created over the years by some of the best minds in cybersecurity. Many volunteers have assisted in heroic efforts to help us improve our cybersecurity positioning in a world where hackers, digital pirates and malware operators always seem to be just around the corner.

The government shutdown obviously does not fund all ongoing operations – but even during this “partial shutdown,” the NIST website is up. So, the government is not saving any money by taking the site down. NIST just crippled portions of the website so that we could not access the documentation that taxpayers have spent millions of dollars on.

NIST Cybersecurity CSRC Shutdown

Other government departments have put up a notice that says, “Due to the lapse in federal funding this website will not be actively managed.” Why actually remove access to some of the already existing resources that taxpayers use routinely? NIST Cybersecurity’s behavior is infuriating to those who rely on having NIST around to help with cybersecurity progress – the shutting down of these key resources seems arbitrary, and evokes a powerful reaction from people who care about the state of our digital resources.

Stages of Shutdown Grief

If you’re like many of us frustrated by these capricious changes, you may have gone through some of these “Five Stages of Shutdown Grief” on the way to an understanding of the situation.

  • Denial
    – No, they wouldn’t take down this content. This behavior will help the bad
    guys, and it won’t save any money. It takes more effort to change the site than
    to keep it as it was, anyway.
  • Anger
    – I can’t believe that they did this! Their childish behavior is infuriating.
  • Bargaining
    – Well, maybe we can get access to some of the resources despite the shutdown.
  • Depression
    – There’s nothing that we can do. I might as well just leave the floodgates
    open to hackers.
  • Acceptance
    – Okay, the resources aren’t there, but the knowledge is still out there.
    It is just harder to access it. Maybe we can make it easier to get the
    information in one place.

NIST Cybersecurity resource availability

NIST Cybersecurity NVD

All NIST Cybersecurity sites are not down. The National Vulnerability Database (NVD) is funded. It’s up and running. The NVD is the site that allows users to report and receive vulnerability information.

That’s good – but the bad news is that most of the other NIST Cybersecurity content is not available. This really puts a wrench in the spokes when it comes to circling the wagons and keeping businesses and individuals secure in a time when cybercrime and cyberattacks are rampant.

What We Should Do for Future Government Shutdowns

Given the current state of political discord, we should expect future government shutdowns. This unfortunate fact should drive some future decision-making. Here are some concrete recommendations for us to follow, as a country and as individuals, to be able to deal with these kinds of unfortunate situations more easily:

  • Congress should prohibit NIST from
    taking down static cybersecurity content from their website in the event of a
    future shutdown.
  • The Secretary of Commerce should
    fire the person who made the decision to take down this NIST cybersecurity content.
    Cybersecurity is hard enough without having resources that we depend on being
    yanked out of our hands. Undoubtedly, this person was not acting in the best
    interest of the United States.
  • All of us in the cybersecurity
    profession should click “download” the next time we access content on the NIST
    website. That way if the materials are suddenly taken down, we still have a
    copy. I am kicking myself for not doing it for certain documents that I access
    frequently.
  • A large company with good intentions
    should scan and mirror the NIST Cybersecurity content onto one of their servers
    and put it up in the event of a future government shutdown. They’ll be heroes!

NIST Cybersecurity content during the shutdown<

GitHub NIST Cybersecurity Documents

We at Fractional CISO decided to take matters into our own hands. Using a bunch of NIST files from our archives, we started a GitHub repository with NIST Cybersecurity PDFs. Here it is: https://github.com/fractional-ciso/NIST-Cybersecurity-Documents

We are betting that other folks in the cybersecurity community have NIST Cybersecurity documentation as well.  We are looking to populate the repository with the most important NIST Cybersecurity files. Some have already contributed. Thank you! If you have some of this content, then please do one of the following:

  • Contribute to the GitHub project. Here’s
    how to do it.
  • Ask to be a collaborator.
  • Contact us and get us the files.


We appreciate everyone’s help in this effort.

Next Steps

If you would like help with your cybersecurity strategy or program, give Fractional CISO a call for a complimentary consultation. We can be reached at (617) 297-9509 or by email at [email protected].

This article originally appeared on the Fractional CISO blog.

Picture of Ed Dante

Tales From The Click

Sign up for our monthly newsletter for business leaders on minimizing cybersecurity risk.

Suceed at SOC 2

Free eBook:
5 Things to Know for your First SOC 2

  • How to scope your SOC 2
  • Estimate the cost and length of your SOC 2
  • Prepare for your SOC 2
  • Manage the SOC 2 audit period
  • Leverage your SOC 2 for growth

Related Posts

Just Show Up

Rob Black

The NIST Cybersecurity Framework is Secretly a Communication Framework!

Elazje Carillo

What to Know About Encryption Now, at the Dawn of the Quantum Era

RJ Russell
Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.

Learn:

  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales
Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.

Learn:

  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales