NIST 800-46: Securing Your Enterprise in the Work-From-Home Reality


The COVID-19 crisis has thrown up innumerable challenges for businesses. With remote working becoming part of everyday reality, it has significantly increased the challenge of cyber security. In order to continue functioning, companies must facilitate working from home. At the same time, they must also ensure that unsecured hardware, networks and devices do not become a cyber ‘Achilles Heel’.

To help businesses adjust, the National Institute of Standards and Technology (NIST) recently reiterated its Special Publication 800-46, which outlines guidelines for securing enterprise telework, remote access and bring-your-own-device (BYOD). Read on to find out how this might be useful for your business.

What exactly is NIST 800-46?

The National Institute of Standards and Technology originally issued Special Publication 800-46 back in 2016. It was intended then, as it is now, to provide a frame of reference regarding security considerations for several types of remote access solutions. It also suggests related security policies and makes relevant recommendations for companies grappling with the issue of off-site working.

NIST 800-46 is not a legal requirement, law or regulation for companies. However, that certainly doesn’t mean that it should be ignored, far from it. 800-46 is viewed as the central tool for businesses attempting to manage the security risk of remote working. Given the unprecedented increase in remote work stations and the possibility that it is here to stay, NIST recently released a bulletin note, summarizing the observations and recommendations of 800-46.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Learn more about how to be compliant with NIST 800-46

What are the key points of NIST 800-46?

The framework sets out two expectations. Firstly, companies should assume the worst – That malicious cyber actors will try to gain access to remote systems and leverage telework devices to gain access to networks or sensitive data. Secondly, companies should assume that communications on external networks are susceptible to eavesdropping, interception, and modification.

So, what does 800-46 suggest should be done? It actually makes ten fairly detailed recommendations for companies, organizations and agencies to follow. However, the most recent bulletin note focuses in on five issues:

  • Developing and enforcing a telework security policy.
  • Requiring multi-factor authentication for enterprise access.
  • Using validated encryption technologies to protect stored communications and data.
  • Ensuring that remote access servers are secured effectively and kept fully patched.
  • Securing all types of telework client devices against common threats.

Is my business obliged to adopt NIST 800-46?

Once again, NIST 800-46 is not legally binding. There is no obligation to adopt it. Nonetheless, there are plenty of good reasons why you should consider doing so. First and foremost, for your own security. If you aren’t sure where to start in assessing the cyber risk of remote working and adapting accordingly, then NIST 800-46 is a key tool. Secondly, with customer and investor confidence having taken a dip, businesses that are using the framework are more likely to win their trust.

If not now, when?

For many businesses, cyber security may have taken something of a back seat until now. However, working conditions are now unrecognizable from just a few short months ago and the business landscape is shifting. The time to consider, assess and act upon cyber risk is now. NIST 800-46 is a good starting point.

Skip to content