But Ron Ross, a senior computer scientist and information security researcher at NIST, said CSI's critiques seem to be based on a misunderstanding of the NIST guidelines. First of all, the NIST guidelines are minimum standards, and individual agencies must do risk assessment and tailor the guidelines to their needs, he said.

Federal agencies are required to categorize their own systems, and high-impact systems would be those that have a "severe, catastrophic effect" if they are lost, Ross said. "Those baselines [in the NIST recommendations] are minimum starting points for agencies," he said. "The implication should not be there that that's a sufficient set of controls against some of the types of attacks that we're seeing."

Some agencies being targeted by U.S. adversaries will have to take additional steps to protect their computer systems, Ross said.

There is some risk that agencies work only to the minimum, Ross said. But he called the new NIST guidelines "the broadest, the richest, and the deepest set of controls ... anywhere in the world." The U.S. Department of Defense and intelligence agencies worked with NIST on this set of guidelines, he said.

If NIST were to follow CSI's recommendations, every security control in the guidelines would be recommended for every federal information system, Ross said. "Clearly, that'd be extremely expensive, and it'd be overkill for many of the systems that we do have," he said. "Every control you put into a system ... is going to cost the agency money."