1. NoNIST SP 800-47 absolutely
should not apply to APIs. APIs exist to avoid many of the thorny issues by actually laying fiber, setting up VPNs/VPCs etc.
Individuals reading this document should understand it was written in 2002. I haven't read it in its entirety in a few months (I will do so and come back here this weekend) but re-scanning it, it's mainly referring to physical network architecture and its software defined proxies.
APIs do not create system interconnectivity as described here. Each API request is just that - a request. As you said, intermittent is the key word here. API requests may be denied at any time for any reason (keys, throttling, etc). Under a system interconnectivity agreement, the expectation is that we set up policies and procedures beforehand and those interactions persist for a long time because we are now both trusted users on the same network or system. There might be authentication or authorization layers, but that's often it which is why you need the agreement beforehand. An API enforces that the resource I'm GETing or POSTing is in the right form. If I have a direct system connection, I could access a share drive and just dump a huge folder of all sorts of stuff.
They are two entirely different use cases that should be under two totally different models of guidance. We are just now starting a
process for security guidance for federal APIs - whether or not that eventually turns into a NIST special publication, I can't say and don't know.
I know many of us would love to help the other agency stakeholders or CISOs understand and support this distinction. We need guidance around API security, but 800-47 is not the answer.
2. Probaby
I'm certainly moving in this direction and I think there is broad support for it. Devil is in the details and all that, but this is my expectation for the future.
3. None that I know of...yet
Since agency-to-agency APIs are still rather rare, no one has created "prevention" policy yet. In my mind this would be wrapped up in the affirmative policy. "Do this...so you don't have to do this." If anyone can stop or slow down agency-to agency system interconnectivity agreements, please do so. Please help get the message out that API requests are self-enforcing. Agencies don't need to sign an agreement, they need to publish the documentation and security standards of their APIs and make clear that requests that do not conform are rejected - full stop.
@Brian: I'm optimistic that air support on these issues is coming soon. But if you need more urgent help in engaging the other agencies you speak of, please reach out.