NISTIR 8074
` Volume 2
`Supplemental Information for the
`Interagency Report on Strategic U.S.
`Government Engagement in International
`Standardization to Achieve U.S.
`Objectives for Cybersecurity
`
`Prepared by the International Cybersecurity Standardization Working Group
`of the National Security Council’s
`Cyber Interagency Policy Committee
`
`This publication is available free of charge from:
`http://dx.doi.org/10.6028/NIST.IR.8074v2
`
`Juniper Ex. 1039-p. 1
`Juniper v Huawei
`
`

`

`
`
`
`
`This page left intentionally blank
`
`
`
`
`Juniper Ex. 1039-p. 2
`Juniper v Huawei
`
`

`

`
`
`NISTIR 8074
`Volume 2
`
`Supplemental Information for the
`Interagency Report on Strategic U.S.
`Government Engagement in International
`Standardization to Achieve U.S.
`Objectives for Cybersecurity
`
`
`
`
`
`Prepared by the International Cybersecurity Standardization Working Group
`of the National Security Council’s
`Cyber Interagency Policy Committee
`
`NIST Editors:
`Michael Hogan
`Elaine Newton
`Information Technology Laboratory
`
`
`This publication is available free of charge from:
`http://dx.doi.org/10.6028/NIST.IR.8074v2
`
`December 2015
`
`
`
`
`
`U.S. Department of Commerce
`Penny Pritzker, Secretary
`
`National Institute of Standards and Technology
`Willie May, Under Secretary of Commerce for Standards and Technology and Director
`
`
`
`
`Juniper Ex. 1039-p. 3
`Juniper v Huawei
`
`

`

`
`
`
`National Institute of Standards and Technology Interagency Report 8074 Volume 2
`79 pages (December 2015)
`
`This publication is available free of charge from:
`http://dx.doi.org/10.6028/NIST.IR.8074v2
`
`
`
`
`DISCLAIMER
`
`
`Certain commercial entities may be identified in this document in order to describe
`a concept adequately. Such identification is not intended to imply recommendation
`or endorsement by NIST, nor is it intended to imply that the entities are necessarily
`the best available for the purpose.
`
`
`
`
`
`
`
`
`
`ii
`
`Juniper Ex. 1039-p. 4
`Juniper v Huawei
`
`

`

`
`
`Reports on Computer Systems Technology
`
`The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology
`(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s
`measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of
`concept implementations, and technical analyses to advance the development and productive use of
`information technology. ITL’s responsibilities include the development of management, administrative,
`technical, and physical standards and guidelines for the cost-effective security and privacy of other than
`national security-related information in Federal information systems.
`
`
`
`Abstract
`
`This report provides background information and analysis in support of NISTIR 8074 Volume 1, Report
`on Strategic U.S. Government Engagement in International Standardization to Achieve U.S. Objectives
`for Cybersecurity. It provides a current summary of ongoing activities in critical international
`cybersecurity standardization and an inventory of U.S. Government and U.S. private sector engagement.
`It also provides information for federal agencies and other stakeholders to help plan more effective
`participation in international cybersecurity standards development and related conformity assessment
`activities.
`
`
`Keywords
`
`
`conformity assessment; coordination; cybersecurity; ICS; Industrial Control Systems; international
`standards; IT; information technology; privacy; standards education; strategy; SDO; standards developing
`organizations; standards development
`
`
`
`
`
`
`
`
`iii
`
`Juniper Ex. 1039-p. 5
`Juniper v Huawei
`
`

`

`
`Foreword
`
`NISTIR 8074 Volume 2 provides background information and analysis in support of NISTIR
`8074 Volume 1, Interagency Report on Strategic U.S. Government Engagement in
`International Standardization to Achieve U.S. Objectives for Cybersecurity. It provides a
`current summary of ongoing activities in critical international cybersecurity standardization. It
`also provides information for Federal agencies and other stakeholders to help plan more effective
`participation in international cybersecurity standards development and related conformity
`assessment activities.
`
`
`
`
`iv
`
`Juniper Ex. 1039-p. 6
`Juniper v Huawei
`
`

`

`Table of Contents
`
`Introduction ........................................................................................................................................ 1
`
`1 Why are cybersecurity standards critical? ................................................................................. 2
`
`2 Why is conformity assessment for cybersecurity standards important? .................................... 3
`
`3 Core Areas in Cybersecurity Standardization ............................................................................ 4
`
`4
`
`5
`
`6
`
`7
`
`Some Key IT Applications .......................................................................................................... 6
`
`Present State of International Cybersecurity Standardization ................................................... 7
`
`Standards Developing Organizations (SDOs) ........................................................................... 21
`
`IT Standards Development ....................................................................................................... 30
`
`8 Accelerating IT Standards Development .................................................................................. 34
`
`9 Ongoing Issues in IT Standards Development .......................................................................... 36
`
`10
`
`How to Effectively Engage SDOs .......................................................................................... 38
`
`Annex A – Terms and Definitions .................................................................................................... 41
`
`Annex B – Conformity Assessment ................................................................................................... 45
`
`Annex C – USG Legislative and Policy Mandates for Cybersecurity ............................................... 52
`
`Annex D – Cybersecurity Analysis of Application Areas ................................................................. 54
`
`
`
`
`
`
`
`
`
`
`
`
`
` v
`
`Juniper Ex. 1039-p. 7
`Juniper v Huawei
`
`

`

`
`
`
`
`Supplemental Information for the Interagency Report on Strategic U.S. Government Engagement
`in International Standardization to Achieve U.S. Objectives for Cybersecurity
`
`
`Introduction
`
`NISTIR 8074 Volumes 1 and 2 were drafted by the National Security Council (NSC) Cyber
`Interagency Policy Committee’s (IPC’s) International Cybersecurity Standardization Working
`Group. Volume 2 provides additional information that supports the strategic objectives and
`recommendations in NISTIR 8074 Volume 1, Interagency Report on Strategic U.S. Government
`Engagement in International Standardization to Achieve U.S. Objectives for Cybersecurity.
`
`Use of cybersecurity standards for information technologies (IT) and industrial control systems
`(ICS) are necessary for the cybersecurity and resiliency of all U.S. information and
`communications systems and supporting infrastructures. Widespread awareness of the topics
`covered in this document will inform U.S. policymakers, enhance the effectiveness of standards
`engagement by agency cybersecurity standards participants and their management, and support
`cooperative activities between and among agencies, with other governments and the private
`sector. Such topics include: the nature of international standards development and types of
`conformity assessment; the role of international cybersecurity standards and conformity
`assessment in enhancing security and promoting commerce; an inventory of critical
`cybersecurity standards developing organizations (SDOs) and the status of cybersecurity
`standards in core areas; ongoing issues in IT standardization; and general principles for effective
`participation in standards development, including in situations where accelerating standards
`development is desirable.
`
`This document does not attempt to establish authoritative definitions for key terms, some of
`which have been defined more than once by other bodies. For purposes of this document,
`working definitions for key terms are found in Annex A.
`
`Conformity assessment, which determines whether a product, process, system, person or body
`has fulfilled specified requirements, is discussed within the body of this document and explained
`in more depth in Annex B.
`
`In support of the document’s analysis of the status of cybersecurity standardization for critically
`important IT applications, Annex C lists U.S. Government (USG) mandates relating to
`cybersecurity, and Annex D provides cybersecurity analyses for some key and emerging
`application areas.
`
`This document does not address USG use of these standards in regulation, procurement, or other
`mission-related activities. That topic is covered by OMB Circular A-119.
`
`
`
`
`
` 1
`
`Juniper Ex. 1039-p. 8
`Juniper v Huawei
`
`

`

`
`NISTIR 8074 Volume 2
`
`1 Why are cybersecurity standards critical?
`
`
`“America’s economic prosperity, national security, and our individual liberties depend on
`our commitment to securing cyberspace and maintaining an open, interoperable, secure, and
`reliable Internet. Our critical infrastructure continues to be at risk from threats in
`cyberspace, and our economy is harmed by the theft of our intellectual property. Although
`the threats are serious and they constantly evolve, I believe that if we address them
`effectively, we can ensure that the Internet remains an engine for economic growth and a
`platform for the free exchange of ideas.” 1
`
`
`With the convergence and connectivity of IT, the deployment of cybersecurity standards-based
`products, processes, and services is essential. Establishment and use of international
`cybersecurity standards are essential for: ensuring the integrity and reliable operation of critical
`infrastructure, improving trust in online transactions, mitigating the effects of cyber incidents
`(e.g., crime), and ensuring secure interoperability among trade, law enforcement, and military
`partners, thereby facilitating increased efficiencies in the global economy. Such standards are
`especially important in the interconnected world where products, processes, and services are
`developed and delivered throughout global supply chains that provide acquirers little
`transparency into supplier practices beyond the prime contractor. A recent report on the
`economic costs of cybercrime stated:
`
`
`Cybercrime is a growth industry. The returns are great, and the risks are low. We
`estimate that the likely annual cost to the global economy from cybercrime is
`more than $400 billion. A conservative estimate would be $375 billion in losses,
`while the maximum could be as much as $575 billion. Even the smallest of these
`figures is more than the national income of most countries and governments and
`companies underestimate how much risk they face from cybercrime and how
`quickly this risk can grow. 2
`
`
`International standardization can also be used as a competitive tool. Firms often have well-
`defined strategies for standards development, including management of intellectual property
`rights, aimed at achieving that advantage. Advantage can be gained by influencing the
`development of a standard. In some cases, firms can gain a competitive advantage by being first
`to market with a standards-based product, process, or service.
`
`Finally, federal agencies rely heavily on voluntary consensus standards—including international
`standards—which they often incorporate into regulatory and procurement requirements or use in
`support of other mission-related activities. Occasionally, standards-related measures are used by
`countries to protect domestic producers or provide a competitive advantage, or such measures
`can distort trade for other reasons as well. The World Trade Organization (WTO) Agreement,
`including the WTO Agreement on Technical Barriers to Trade (TBT Agreement), and other trade
`agreements establish rules governing the use of standards-related measures by governments to
`ensure that such measures are not used in a manner that discriminates against foreign products or
`otherwise creates unnecessary obstacles to trade.
`
`
`1 President Obama, see https://www.whitehouse.gov/issues/foreign-policy/cybersecurity [accessed 11/20/2015].
`2 McAfee, Inc., Net Losses: Estimating the Global Cost of Cybercrime—Economic Impact of Cybercrime II, June
`2014, p. 2. http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2-summary.pdf [accessed
`11/20/2015].
`
`
`
` 2
`
`Juniper Ex. 1039-p. 9
`Juniper v Huawei
`
`

`

`
`NISTIR 8074 Volume 2
`
`2 Why is conformity assessment for cybersecurity standards important?
`
`
`“When you can measure what you are speaking about and express it in numbers, you know
`something about it; but when you cannot measure, when you cannot express it in numbers,
`your knowledge is of a meager and unsatisfactory kind; it may be the beginning of
`knowledge, but you have scarcely, in your thoughts, advanced to the stage of science.”3
`
`
`When protecting sensitive information, industrial control systems, and networks, government
`agencies need to have a minimum level of assurance that a stated security claim is valid.
`Conformity assessment is activity that provides a demonstration that specified requirements
`relating to a product, process, system, person or body are fulfilled. Conformity assessment
`activities can be performed by many types of organizations or individuals. Conformity
`assessment can be conducted by: (1) a first party, which is generally the supplier or
`manufacturer; (2) a second party, which is generally the purchaser or user of the product; (3) a
`third party, which is an independent entity that is generally distinct from the first or second party
`and has no interest in transactions between the two parties; and (4) the government, which has a
`unique role in conformity assessment activities related to regulatory requirements. See Annex B
`for an overview.
`
`In the field of IT, testing is often the most rigorous way to determine if a product, process, or
`service has fulfilled all of the requirements. An example is the USG requirement of using tested
`and validated cryptographic modules.4
`
` A
`
` user’s (e.g., a regulator) confidence in test results may be influenced by the level of
`independence of the testing body (e.g., first, second, or third party) and/or recognition by an
`accrediting body. This in turn directly relates to the risk associated with product, process, or
`service non-conformance. For IT, four important types of conformity assessment-related testing
`are: conformance, performance, stress, and interoperability testing.
`
`
`• Conformance testing captures the technical description of the requirements in a standard
`and measures whether an implementation (product, process, or service) faithfully fulfills
`these requirements. Conformance testing does not completely ensure the interoperability
`or performance of conforming products, processes, or services. Therefore,
`interoperability and performance testing are also important aspects for procurements.
`
`• Performance testing measures the performance characteristics of an implementation, such
`as its throughput or responsiveness, under various conditions.
`
`• Stress testing involves scaling up the load on an implementation and then measuring
`performance as the load increases.
`
`Interoperability testing tests one implementation with another to establish that they can
`work together properly.
`
`•
`
`
`
`
`3 Lord Kelvin, William Thomson, a British scientist who helped to lay the foundations of modern physics. Lecture
`on “Electrical Units of Measurement” (3 May 1883), published in Popular Lectures Vol. I, p. 73
`4 NIST Cryptographic Module Validation Program (CMVP), http://csrc.nist.gov/groups/STM/cmvp/.
`
`
`
` 3
`
`Juniper Ex. 1039-p. 10
`Juniper v Huawei
`
`

`

`
`NISTIR 8074 Volume 2
`
`Testing, and ensuring the competence of bodies that conduct the testing, is as much of a market
`driver as the specific standard itself. In support of international trade, the TBT Agreement
`encourages mutual acceptance of test results of conformity assessment procedures and the use of
`international systems of conformity assessment.
`
`Other types of conformity assessment are often used to ensure that products, processes, or
`services comply with regulations or voluntary consensus standards. These include: tests of
`components, certification of test results, and accreditation methods that assess the competence of
`testing, certification, and inspection bodies. Using commercial testing bodies known to be
`competent for specific testing areas can be more cost effective for federal agencies than
`developing USG testing expertise.
`
` 3
`
` Core Areas in Cybersecurity Standardization
`
`
`Core areas are key attributes of cybersecurity that broadly impact the overall cybersecurity of IT
`products, processes, and services. The NSC Cyber IPC’s International Cybersecurity
`Standardization Working Group reviewed the areas of cybersecurity standardization presently
`underway in many SDOs to determine a taxonomy. This taxonomy represents important areas
`of cybersecurity standardization. It is not all inclusive and could certainly evolve over time but it
`is considered sufficient for this analysis of the state of cybersecurity standardization. These core
`areas may also be interdependent. For instance, Security Automation and Continuous
`Monitoring is important for describing various aspects of how to support Cyber Incident
`Management, Information Security Management System, and Network Security.
`
`The core areas of cybersecurity standardization include:
`
`Cryptographic Techniques and mechanisms and their associated standards are used to provide:
`confidentiality; entity authentication; non-repudiation; key management; data integrity; trust
`worthy data platforms; message authentication; and digital signatures.
`
`Cyber Incident Management standards support information sharing processes, products, and
`technology implementations for cyber incident identification, handling, and remediation. Such
`standards enable organizations to identify when a cyber incident has occurred, to properly
`respond to that incident and recover from any losses as a result of the incident. Such standards
`are one method to enable jurisdictions to exchange information about incidents, vulnerabilities,
`threats and attacks, the system(s) that were exploited, security configurations and weaknesses
`that could be exploited, etc.
`
`Identity and Access Management and related standards enable the use of secure, interoperable
`digital identities and attributes of entities to be used across security domains and organizational
`boundaries. Examples of entities include people, places, organizations, hardware devices,
`software applications, information artifacts, and physical items. Standards for identity and access
`management support identification, authentication, authorization, privilege assignment, and audit
`to ensure that entities have appropriate access to information, services, and assets. In addition,
`many identity and access management standards include privacy features to maintain anonymity,
`unlinkability, untraceability, ensure data minimization, and require explicit user consent when
`attribute information may be shared among entities.
`
`
`
`
` 4
`
`Juniper Ex. 1039-p. 11
`Juniper v Huawei
`
`

`

`
`NISTIR 8074 Volume 2
`
`Information Security Management System (ISMS) standards provide a set of processes and
`corresponding security controls to establish a governance, risk, and compliance structure for
`information security for an organization, an organizational unit, or a set of processes controlled
`by a single organizational entity. An ISMS requires a risk-based approach to security that
`involves selecting specific security controls based on the desired risk posture of the organization
`and requires measuring effectiveness of security processes and controls. An ISMS requires a
`cycle of continual improvement for an organization to continue assessing security risks,
`assessing controls, and improving security to remain within risk tolerance levels by balancing
`security and risk tolerances.
`
`IT System Security Evaluation and assurance standards are used to provide: security
`assessment of operational systems; security requirements for cryptographic modules; security
`tests for cryptographic modules; automated security checklists; and security metrics.
`
`Network Security standards provide security requirements and guidelines on processes and
`methods for the secure management, operation and use of information, information networks,
`and their inter-connections. Such standards-based technologies can help to assure the
`confidentiality and integrity of data in motion, assure electronic commerce, and provide for a
`robust, secure and stable network and internet.
`
`Security Automation and Continuous Monitoring (SACM) standards describe protocols and
`data formats that enable the ongoing, automated collection, monitoring, verification, and
`maintenance of software, system, and network security configurations, and provide greater
`awareness of vulnerabilities and threats to support organizational risk management decisions.
`Automation protocols also include standards for machine-readable vulnerability identification
`and metrics, platform and asset identification, actionable threat information and policy triggers
`for actions to respond to threats and policy violations. Automated activities would include a
`Security Operation Center (SOC) to ensure autonomous and continuing monitoring and
`evolution of the security state of assets based upon prescribed events.
`
`Supply Chain Risk Management (SCRM) standards provide the confidence that organizations
`will produce and deliver information technology products or services that perform as required
`and mitigate supply chain-related risks, such as the insertion of counterfeits and malicious
`software, unauthorized production, tampering, theft, and poor quality products and services. IT
`SCRM standardization requirements include methodologies and processes that enable an
`organization’s increased visibility into, and understanding of, how technology that they acquire
`and manage is developed, integrated, and deployed, as well as the processes, procedures, and
`practices used to assure the integrity, security, resilience, and quality of the products and
`services. IT SCRM standardization lies at the intersection of cybersecurity and supply chain
`management and provides a mix of mitigation strategies from both disciplines for a targeted
`approach to managing IT supply chain risks.
`
`Software Assurance standards describe requirements and guidance for significantly decreasing
`the likelihood of software having vulnerabilities, either intentionally designed into the software
`or accidentally inserted at any time during its life cycle, and that the software functions in the
`intended manner. This includes custom software, commercial off-the-shelf software, firmware,
`operating systems, utilities, databases, applications and applets for the Web,
`software/platform/infrastructure as a service (SaaS, PaaS, IaaS), mobile and consumer devices,
`etc.
`
`
`
` 5
`
`Juniper Ex. 1039-p. 12
`Juniper v Huawei
`
`

`

`
`NISTIR 8074 Volume 2
`
`System Security Engineering standards describe planning and design activities to meet security
`specifications or requirements for the purpose of reducing system susceptibility to threats,
`increasing system resilience, and enforcing organizational security policy. A comprehensive
`system security engineering effort: includes a combination of technical and nontechnical
`activities; ensures all relevant stakeholders are included in security requirements definition
`activities; ensures that security requirements are planned, designed, and implemented into a
`system during all phases of its lifecycle; assesses and understands susceptibility to threats in the
`projected or actual environment of operation; identifies and assesses vulnerabilities in the system
`and its environment of operation; identifies, specifies, designs, and develops protective measures
`to address system vulnerabilities; evaluates/assesses protective measures to ascertain their
`suitability, effectiveness and degree to which they can be expected to reduce mission/business
`risk; provides assurance evidence to substantiate the trustworthiness of protective measures;
`identifies quantifies, and evaluates the costs and benefits of protective measures to inform
`engineering trade-off and risk response decisions; and leverages multiple security focus areas to
`ensure that protective measures are appropriate, effective in combination, and interact properly
`with other system capabilities.
`
` 4
`
` Some Key IT Applications
`
`
`IT applications are systems that support performing real-world tasks, which benefit organizations
`and people. Present USG priorities in IT applications are driven by agencies’ missions and
`specific legislative and policy mandates, which are listed in Annex C. Based upon the mandates
`listed in Annex C, some of the high priority IT applications for the USG are described below. A
`cybersecurity analysis of each of these IT application areas is contained in Annex D.
`
`Cloud Computing: Cloud computing is a relatively new paradigm that changes the emphasis of
`the traditional IT services from procuring, maintaining, and operating the necessary hardware and
`related infrastructure to the business’ mission, and delivering value added capabilities and services
`at lower cost to users. Defined as a model for enabling convenient, on-demand network access to
`a shared pool of configurable computing resources (e.g., networks, servers, storage, applications,
`and services) that can be rapidly provisioned and released with minimal management effort or
`service provider interaction, cloud computing maximizes capacity utilization, improves IT
`flexibility and responsiveness, and minimizes cost of implementations and operations for all cloud-
`based information systems.
`
`Emergency Management: The first responder community needs reliable, secure, and
`interoperable information and communications technology to protect the public during disasters
`and catastrophes. There is increasing convergence of the voice, data, and video information
`being exchanged to provide situational awareness in response to an event. For larger disasters
`and catastrophes, first responders from neighboring jurisdictions or inter-governmental
`jurisdictions (i.e., state or Federal) need to be integrated into the response, along with the
`information and communications technologies they use.
`
`Industrial Control Systems (ICS): ICS is a general term that encompasses several types of
`control systems, including supervisory control and data acquisition (SCADA) systems,
`distributed control systems (DCS), and other smaller control system configurations often found
`in the industrial control sectors. ICSs are used across the critical infrastructure and key resources
`(CIKR) sectors, including the electric, water, oil and gas, chemical, pharmaceutical, pulp and
`
`
`
` 6
`
`Juniper Ex. 1039-p. 13
`Juniper v Huawei
`
`

`

`
`NISTIR 8074 Volume 2
`
`paper, food and beverage, and critical manufacturing (automotive, aerospace, and durable goods)
`industries.
`
`Health Information Technology (HIT): The use of information technology makes it possible
`for health care providers to better manage patient care through secure use and sharing of health
`information. HIT includes the use of electronic health records (EHRs) instead of paper medical
`records to maintain patient health information and to support and manage their clinical care.
`Secure and interoperable HIT provides for: seamless movement between health care providers
`without loss of information; instant access to medical histories at the point of care; fewer errors
`and redundant tests; more efficient and effective reporting, surveillance, and quality monitoring;
`and quick detection of adverse drug reactions and epidemics.
`
`Smart Grid: The electric power industry is undergoing grid modernization efforts to transform
`from a centralized, producer-controlled network to one that is a distributed and consumer-
`interactive grid that enables bidirectional flows of energy and uses two-way communication and
`control capabilities. The move to a smarter electric grid will provide new ways in which power
`can be generated, delivered and used that minimize environmental impacts, improve reliability
`and service, reduce costs and improve efficiency. Deployment of various Smart Grid elements,
`including smart sensors on distribution lines, smart meters in homes, and integration of widely
`dispersed sources of renewable energy, is already underway and further integrates the energy, IT
`and telecommunication sectors.
`
`Voting: The most familiar part of a voting system is the mechanism used to capture the
`citizenry’s choices or votes on ballots. In addition to the vote capture mechanism, a voting
`system includes voter registration databases and election management systems. Voter
`registration databases contain the list of citizens eligible to participate in a jurisdiction’s election.
`Voter registration databases populate poll books used at polling places to verify one’s eligibility
`to participate in an election and ensure they received the correct ballot style. The election
`management system is used to manage the definition of different ballot styles, configuration of
`the vote capture mechanism, collection and tallying of cast ballots, and creation of election
`reports and results.
`
` 5
`
` Present State of International Cybersecurity Standardization
`
`
`The status of cybersecurity standards can be assessed by reviewing some key USG priority IT
`applications, which are described in Section 4 and Annex D with respect to the core areas of
`cybersecurity standardization that are described in Section 3.
`
`Table 1 below provides a snapshot of the present status of cybersecurity standards and their
`implementation by the marketplace. “Standards Mostly Available” indicates that SDO
`approved cybersecurity standards are for the most part available and that standards-based
`implementations are available. However, the availability of standards means that such standards
`require continuous maintenance and updating based upon feedback from testing and
`deployments of standards-based products, processes, and services, as well as improvements in
`technology and the exploitation of those improvements by our adversaries. “Some Standards
`Available” indicates that some standards exist and have standards-based implementations, but
`there may be a need for additional standards and/or revisions to existing standards in this area.
`“Standards Being Developed” indicates that needed SDO approved cybersecurity standards are
`still under development and that needed standards-based implementations are not yet available.
`
`
`
` 7
`
`Juniper Ex. 1039-p. 14
`Juniper v Huawei
`
`

`

`
`NISTIR 8074 Volume 2
`
`“New Standards Needed” indicates that new cybersecurity standards development projects are
`starting to be considered by various SDOs. Where there are existing standards that are being
`implemented, it should be noted that these standards will also need to be maintained and
`replaced, particularly as new technologies evolve.
`
`Cybersecurity standards include many standards that are much broader than cybersecurity but are
`very relevant to cybersecurity, as well as standards whose scopes are specific to one or more
`attributes of cybersecurity. It is important to highlight that there are a number of generic
`standards under development or in existence that are relevant to the core area rows and specific
`applications in the columns of Table 1 below. These standards may be revised or expanded to
`include cybersecurity information.
`
`Four observations can be made on the overall status of ongoing cybersecurity standardization.
`First, robust standardization activities in the listed core areas of cybersecurity standardization are
`undoubtedly necessary for ensuring interoperability, security, usability, and resiliency. Secon