Strengthening Public Sector Cybersecurity Audits: Leveraging NIST Standards for Supreme Audit Institutions

Author: Thiago de Oliveira Teodoro, Tribunal de Contas da União (Brazilian Federal Court of Accounts)

Introduction 

The Supreme Audit Institutions (SAIs) play an essential role in assessing the effectiveness of government policies. In an era marked by rapid technological shifts, policies governing cybersecurity and data protection are under immense pressure to meet high standards of resilience and compliance. This article aims to broaden our understanding by examining new insights that can complement the existing guidelines provided by the International Organization of Supreme Audit Institutions (INTOSAI), mainly described in the:

1. Working Group on IT Audit (WGITA)-INTOSAI Development Initiative (IDI) Handbook on IT Audit for Supreme Audit Institutions
2. Guid-5100: Guidance on Audit of Information Systems and the related initial draft version.
3. Cybersecurity and Data Protection Audit Guideline from WGITA

The Cybersecurity and Data Protection Audit Guideline, in particular, lists several best practices from the National Institute of Standards and Technology (NIST), which were used as a baseline for showing how they can add security features to the existing INTOSAI guidelines. The NIST framework provides a comprehensive framework and a flexible, customizable catalogue of security and privacy controls to help organizations manage system risks, address cyber threats, and support comprehensive, organization-wide risk management.

This review will highlight what one can consider the five most critical NIST security and privacy control families referenced by INTOSAI guidelines and that can be correlated with high-impact cyberattacks. 

Five Essential NIST Control Families: Lessons from High-Impact Cyberattacks

1. Supply Chain Risk Management (SR)

Supply Chain Risk Management has become a critical concern due to the growing prevalence of supply chain attacks that threaten both public and private sector entities. One notable example is the SolarWinds Attack in 2020, where adversaries infiltrated software updates, leading to widespread compromises, including among government agencies. Such incidents show the importance of robust oversight and risk assessment when dealing with third-party suppliers. To mitigate these risks, SAIs should establish clear guidelines for evaluating supplier vulnerabilities and verifying the authenticity of components and services. Implementing standards like NIST 800-161 can enhance security by providing structured frameworks for identifying and managing supply chain risks.

2. Incident Response (IR)

Incident Response Management is essential for minimizing the impact of security breaches, particularly in the face of ransomware and Advanced Persistent Threats (APTs). A simple example is the April 2022 Conti ransomware attack on Costa Rica, which severely impacted multiple government agencies, including the Ministry of Finance, disrupting tax collection and other critical services. Such incidents highlight the need for proactive incident response planning to ensure organizations can detect, contain, and recover from cyberattacks. SAIs should promote comprehensive incident management strategies, including assistance frameworks, structured response plans, and regular testing of incident protocols. Adopting industry standards like NIST SP 800-61 can further strengthen response capabilities and enhance overall cybersecurity resilience.

3. Personally Identifiable Information (PII) processing and Transparency (PT)

Privacy and Data Protection have become paramount as regulations, such as the General Data Protection Regulation (GDPR), impose strict requirements on managing and safeguarding personally identifiable information (PII). Failure to protect sensitive data can lead to severe breaches, as seen in 2020 when adversaries compromised governmental communications and critical political information in the Norwegian Parliament. Such incidents highlight the importance of strong privacy governance and compliance measures. SAIs should implement privacy impact assessments and establish comprehensive data protection frameworks to mitigate risks. Incorporating the NIST Privacy Framework allows SAIs to develop a structured approach to privacy governance, ensuring compliance, accountability, and sustained public trust in data handling.

4. Continuous Monitoring and Automated Security Operations (CA, SI)

Continuous Monitoring and Automated Security Operations are essential for identifying and mitigating vulnerabilities in real-time, especially in critical systems. A significant example is the MOVEit Transfer Vulnerability Exploitation in 2023, where adversaries successfully embedded malware in legitimate data transfers, impacting multiple organizations, including the U.S. Department of Energy. This incident shows the importance of proactive and automated security monitoring to detect and respond to threats before they escalate. SAIs should adopt automated tools, adaptive security methodologies, and continuous monitoring frameworks to enhance cyber resilience. Leveraging guidelines from NIST 800-137A can help establish robust security operations that dynamically respond to emerging threats and vulnerabilities.

5. Internet of Things (IoT) and Operational Technology (OT) Security (PE, SC)

The Internet of Things (IoT) and Operational Technology (OT) play a central role in critical infrastructure, but their weak configurations make them prime targets for cyber threats. A singular example is the Colonial Pipeline Ransomware Attack in 2021, where adversaries disrupted fuel distribution across the U.S., leading to widespread shortages and triggering a federal response to enhance critical infrastructure security. This incident describes the need to secure IoT and OT environments to prevent similar disruptions. Supreme Audit Institutions (SAIs) should adopt risk-based auditing strategies that address IoT and OT vulnerabilities, including device authentication, encryption, and secure communications. Utilizing the guidance from NIST SP 1800-25, 1800-26, 800-82 can strengthen the resilience and security of these systems.

Conclusion

These five security areas tackle key threats, but numerous other NIST security and privacy control families could also be considered. A similar methodology can be applied to broaden the analysis, focusing on specific security controls and offering more targeted recommendations. This approach can leverage existing INTOSAI guidelines while incorporating detailed insights from other standards, such as NIST.

Finally, by enhancing cyber security controls, SAIs can better audit and reinforce security controls, ultimately improving the resilience of public sector information systems.