NIST finalizes cybersecurity guidance for positioning, navigation and timing systems

As part of an effort to help users apply its well-known Cybersecurity Framework (CSF) as broadly and effectively as possible, the National Institute of Standards and Technology (NIST) has released finalized cybersecurity guidance for positioning, navigation and timing (PNT) services.

Formally titled Foundational PNT Profile: Applying the Cybersecurity Framework for the Responsible Use of Positioning, Navigation and Timing (PNT) Services (NISTIR 8323), the document is part of NIST’s response to the Feb. 12, 2020, Executive Order 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing Services. To develop the profile, NIST sought public input regarding the general use of PNT data before releasing a draft version in October 2020. The finalized version reflects public comments NIST received on the draft.

The “profile,” a term NIST uses to describe the application of the CSF to a specific implementation scenario, is intended to help mitigate the cybersecurity risks that confront PNT services. These services are important to national and economic security and include the Global Positioning Systems that are widely used by smartphone-based navigation apps, as well as split-second timing technologies that enable stock trading and efficient control of the power grid.

“Many efforts to secure PNT services were underway before we began developing this profile, but there wasn’t a formal reference for risk mitigation that everyone could use,” said NIST’s Jim McCarthy, one of the profile’s authors. “The Executive Order was targeted to address all users of PNT services, and we are confident the entire community can benefit.”

The main addition since the draft version was released is a “Quick Guide” intended to offer users an easier way to get started using the profile.

“The Quick Guide illustrates all the areas we cover in the profile and simplifies them,” McCarthy said. “Those less familiar with their own use of PNT services will benefit from the guide, as the process of implementing the profile may seem complicated for the novice user.”

IT personnel might appreciate the extensive set of references the authors have included. These range from guidance already published by both government and private sector entities to academic papers and other technical sources.

“The profile has perhaps the most comprehensive list of PNT cybersecurity references compiled into a single document so far,” McCarthy said. “They can serve as examples for anyone trying to tailor the profile’s approach to their own system.”

McCarthy and Jim Platt of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency will give an online presentation about the U.S. government’s efforts to increase the resiliency of PNT services at this year’s virtual RSA Conference. Their presentation, scheduled for 3 p.m. EDT on May 19, 2021, will be prerecorded but will include a live Q&A segment at the end.

McCarthy said that although the profile was now finalized, NIST would continue to look for ways to keep it current.

“In accordance with the Executive Order, we plan to revisit the profile every two years or as needed,” he said. “We intend to make sure it remains useful.”

For more information, please visit www.nist.gov/pnt.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.