Please provide a short (approximately 100 word) summary of the following web Content, written in the voice of the original author. If there is anything controversial please highlight the controversy. If there is something surprising, unique, or clever, please highlight that as well. Content: Title: NIST as a Cyber Threat Actor Site: circleid.com On 24 May, NIST published recommendations that are a key component of the U.S. cybersecurity ecosystem—known as vulnerability disclosure guidelines. NIST (National Institute of Standards and Technology) is an agency of the Department of Commerce whose mission includes “developing cybersecurity standards, guidelines, best practices, and other resources to meet the needs of U.S. industry, federal agencies and the broader public.” The NIST publication is SP 800-216 . Although directed at the U.S. Federal Government, the guidelines are applied to anyone having a touchpoint with a Federal government agency and are critically important for public cybersecurity. The broad sweep of the guidelines includes “receipt of information about potential security vulnerabilities in information systems owned or controlled by a government agency, as well as the dissemination of information about security vulnerability resolutions to government agencies and the public.” The recommendations also implement the Internet of Things Cybersecurity Improvement Act . Unfortunately, the NIST Guidelines state that they should be used “in conjunction with” two standards of a private Swiss-based standards organization known as ISO that lies behind a paywall that costs $150 for “personal copies” for five years. NIST also cites an additional seven ISO-published standards as relevant to implementing the guidelines. The total bundle comes to $1592—paid in Swiss Francs. Without rational explanation, the price per page of the downloaded files varies between 7.08 and 1.37 Swiss Francs. Somewhat incredulously, NIST also fronts as a sales mechanism by including the URL link for each standard directly to the ISO paywall sales server. (Amusingly, two of the referenced ISO publications are out of date.) Why NIST is behaving in this fashion and effectively impeding U.S. cybersecurity has no rational explanation. There are numerous other global private and intergovernmental bodies hosting cybersecurity standards activities and publishing the standards openly without paywalls that are far better venues. Indeed, eliminating paywalls is the prevailing practice because cybersecurity standards need to reach as many people as possible, are perfected through open collaboration, evolve rapidly, and often have associated code that is downloaded on demand. Few organizations producing cybersecurity standards maintain paywalls today because it also significantly impedes the development of the standards and meaningful transparency. Placing cybersecurity vulnerability disclosure guidelines behind a paywall that demands more than 1500 dollars to view makes utterly no sense. Furthermore, NIST’s behavior skirts the juridical and human rights norms in the U.S. that everyone should have effective public access to the law and that the work of public officials is not the proper subject of copyright. Those norms were underscored three years ago in a landmark decision of the U.S. Supreme Court in favor of Public.Resource.org . For years, NIST has been freely providing its own IPR and that of collaborating U.S. companies to ISO, to turn around and resell back to U.S. users for enormous fees to help support ISO’s expensive Geneva lifestyle and frequent quasi-holiday meetings at attractive locations around the world. Whenever NIST has been questioned or criticized for this rather outrageous behavior, the customary answer, which strains credulity, is that it is “the ISO business model,” and they cannot change it. The reality of that model is that ISO is in the publications business, rather than standards-making, and they are incented to get de facto provisioning monopolies from public governmental bodies like NIST to garner their unjust revenue. The conduct here begs for extensive scrutiny by responsible authorities, as well as industry and the public. It is a conduct clearly harmful to the interests of everyone except those availing themselves of paywall money generated by the free IPR provided by others and funded in part by U.S. taxpayers. The behavior here is sufficiently egregious to qualify NIST as a Cyber Threat Actor pursuing an Advanced Persistent Threat with its own OASIS STIX profile and captured in a CACAO Security Playbook . For notification and mitigation purposes, SP 800-216 could be reported into the National Vulnerability Database with a CVSS Critical level designation and get a CVE. Best of all, because there are no paywalls in OASIS, the expressions can be freely downloaded!