Cybersecurity Profile for the Responsible Use of Positioning, Navigation, and Timing (PNT) Services

doi:https://doi.org/10.6028/NIST.IR.8323-draft

July 19, 2023: URLs for CSRC publication details pages have changed. Legacy URLs should automatically redirect to the new URLs. However, links to the actual publications have NOT changed (e.g., DOIs and PDFs on nvlpubs.nist.gov). Please send inquiries to csrc-inquiry@nist.gov. [12:20 pm ET - If you received "Page Not Found" errors recently, please retry accessing those files. File synchronization should now be complete.]

NIST IR 8323 (Initial Public Draft)

Obsoleted on February 11, 2021 by IR 8323

Cybersecurity Profile for the Responsible Use of Positioning, Navigation, and Timing (PNT) Services

Documentation Topics

Date Published: October 2020
Comments Due: November 23, 2020 (public comment period is CLOSED)
Email Questions to: pnt-eo@list.nist.gov

Announcement

About the Profile

The PNT cybersecurity profile is part of NIST’s response to the Feb. 12, 2020, Executive Order 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing Services. The order notes that “the widespread adoption of PNT services means disruption or manipulation of these services could adversely affect U.S. national and economic security. To strengthen national resilience, the Federal Government must foster the responsible use of PNT services by critical infrastructure owners and operators.”

NIST has developed this PNT cybersecurity profile to help organizations identify systems, networks, and assets dependent on PNT services; identify appropriate PNT services; detect the disruption and manipulation of PNT services; and manage the associated risks to the systems, networks, and assets dependent on PNT services. This profile will help organizations make deliberate, risk-informed decisions on their use of PNT services.

NIST is seeking comments on the draft PNT cybersecurity profile. Comments must be received no later than November 23, 2020. All relevant comments will be posted publicly.

We encourage you to organize and submit your comments using our comment template.

Note to Reviewers

This request for review presents several topics for which NIST is requesting federal agency and industry review and comment for potential changes or additions to the current text. Reviewers may respond to any of these topic areas as they choose. There is no requirement to include any of the topic areas in submitted comments.

NIST is particularly interested in comments and recommendations on the following topics:

Gaps in existing standards, guidelines and practices associated with the responsible use of PNT services.
Additional guidance on the application of the Cybersecurity Framework that can be provided as examples in the Appendix.
The degree to which the Cybersecurity Framework functions, categories, and subcategories adequately address the broad scope of cybersecurity concerns regarding the responsible use of PNT services.
Additional informative references such as standards and guidance documents that can be implemented into the core.
Whether the controls and informative references are adequate and appropriate.

NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.

Abstract

The national and economic security of the United States (US) is dependent upon the reliable functioning of critical infrastructure. Positioning, Navigation and Timing (PNT) services are widely deployed throughout the critical infrastructure. A disruption or manipulation of PNT services would have adverse impacts on much of the nation’s critical infrastructure. In a government wide effort to mitigate these impacts, Executive Order (EO) 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation and Timing Services was issued on February 12, 2020. The EO tasks various Federal agencies with specific actions to ensure the responsible use of PNT services. The National Institute of Standards and Technology (NIST) as part of the Department of Commerce (DoC), is required to produce a “Profile” to address the responsible use of PNT services. This document is a PNT Profile that is based on the Cybersecurity Framework. The PNT serves as the foundation for the broad and varied stakeholder community using PNT services. The primary focus of this Profile is Cybersecurity as it relates to the US critical infrastructure. Applicability of this Profile to various sectors and sub-sectors is assumed, however sector specific concerns are not formally addressed. The EO provides guidance concerning the roles of the Sector Specific Agencies (SSAs) in regard to the specific PNT communities they serve, from which further sector efforts are expected to develop based on the use of this foundational Profile.

Keywords

critical infrastructure; Cybersecurity Framework; Executive Order; GPS; navigation; PNT; positioning; risk management; timing

Control Families

None selected

Documentation

Publication:
https://doi.org/10.6028/NIST.IR.8323-draft
Download URL

Supplemental Material:
Template for submitting comments (xlsx)
Comments received

Document History:
08/31/20: Other (Draft)
10/22/20: IR 8323 (Draft)
02/11/21: IR 8323 (Final)

Topics

Security and Privacy

general security & privacy, risk management

Applications

cybersecurity framework, positioning navigation & timing