The National Institute of Standards and Technology (NIST) released a new draft of its cybersecurity framework on Aug 8, providing updated guidance for industries, government agencies and other organizations on reducing cybersecurity risks.
The new Cybersecurity Framework (CSF) offers high-level cybersecurity outcomes that can be used by any organization to better understand, assess, prioritize and communicate its cybersecurity efforts.
The most significant change to the framework is the inclusion of a new category called “governance.” In the draft framework, the governance function is visualized as transcending all of the other previous categories by placing it in a ring inside of the previous five categories: Identify, Protect, Detect, Respond and Recover.
The concept of governance is not new to the framework, but it was not previously explicitly called out as a primary category. The inclusion of governance as a separate measure brings the NIST CSF 2.0 into alignment with some of the other standards such as International Organization for Standardization and Center for Internet Security. Because the concept of governance previously existed in the other five categories, many of those subcategories associated with it were reallocated to the newly formed governance category.
Using the Framework
CSF 2.0 guidance also addresses a significant source of industry confusion about how the framework should be used. The previous incarnation of the CSF was often treated as something an organization should do, rather than a tool for expressing the outcomes, maturity, interplay and strengths of the cybersecurity practices or controls an organization employs. The guidance accompanying CSF 2.0 makes clear that the informative reference section of the CSF contains the practices an organization needs to execute upon, which can then be expressed in the terms of the CSF. In effect, the CSF serves as a universal translator to allow organizations to understand the security posture of themselves and members of their supply chain.
NIST intends for the actual cybersecurity practices or controls to be dynamic and frequently updated. Accordingly, the informative reference section will be available from a database accessible through the nest website and will presumably allow for the use of additional standards and approaches for the risks associated with specific industry verticals. In NIST 2.0, these different verticals are described as “profiles.” According to NIST, organizations can define these profiles as both aspirational (“Target Profile”) or to describe the “Current Profile” of an organization, or even a regulation. This database is not yet available for review, but the potential is exciting.
Hopefully, the use of profiles is widely adopted because it could be a useful tool for vendor assessments, insurance procurement and regulatory requirements, and allow for the description of an outcome rather than prescribing a particular cybersecurity practice which could become obsolete long before the regulation or contract is updated.
Other Highlights of Cybersecurity Framework 2.0
In addition to describing the importance of the informative reference section of the CSF, version 2.0 also has the following highlights:
Examples of implementation: According to the NIST, these examples “provide notional examples of concise, action-oriented steps to help achieve the outcomes of the Subcategories in addition to the guidance provided Informative References. The examples are not a comprehensive list of all actions that could be taken by an organization to achieve an outcome, nor do they represent a baseline of required actions to address cybersecurity risk.” Like the informative references, these examples have also yet to be published.
Maturity levels: CSF 2.0 also allows organizations to describe the maturity of their program across four tiers that range from the lowest – “Partial,” which describes an ad hoc approach - to the highest, “Adaptive,” which describes an agile, risk-informed and continually improving approach to the subcategory being addressed. NIST envisions integrating these tiers into the profile creation so that profiles with the greatest risk are tiered towards level 4 while lower-risk organizations could be operating at a lower tier.
This approach is currently being considered by the New York State Department of Financial Services in their proposed amendment to 23 NYCRR 500 and their creation of three categories of regulated entities based upon size and revenue. However, the DFS approach is perhaps more prescriptive with the actual technology and specific configurations than NIST seems to encourage with its outcome risk-based approach. Companies regulated by the DFS should note whether CSF 2.0 holds any sway over the next proposed draft of the DFS cybersecurity regulation due in the next few months.
Supply chain controls: Revision 5 of the NIST 800-53 control set created a new family of controls around the risk management for supply chain. Not surprisingly, CSF 2.0 also adds a number of functions and subcategories focused on supply chain management. For example, consider ID.RA-01, PR.AA-03, PR.PS-04, DE.CM-09, RS.MA-01, and RC.RP-01 to name a few. These make clear that NIST sees the risk associated with supply chain and the amount of information managed by third parties to span across all the NIST categories and functions.
Privacy Framework Integration: The final goal of CSF 2.0 is to integrate the recently created privacy framework with the CSF. The core privacy framework functions of Identify, Govern, Control and Communicate extend the strength of the program beyond the core of protections defined by the CSF. But there is overlap around the CSF functions of Protect, Detect, Respond and Recover. Thus, when both frameworks are used in combination, the risk management of an organization is greatly expanded.