With recent updates to the NIST Cybersecurity Framework (CSF), now seems good a time as any to revisit the framework, highlight some of the advantages to leveraging it and discuss what these changes may mean going forward.
NIST Cybersecurity Framework Background
Before jumping into the updates, let’s cover some background. The NIST CSF was originally released on February 12, 2014. The CSF was created in response to executive order 13636 in 2013 and the original focus was improving Critical Infrastructure Cybersecurity. Since that time, it has become an invaluable tool in helping US and foreign private and public sector organizations manage and address cybersecurity risk.
One of the best features of the framework is that it’s industry agnostic, and while it can easily be mapped to requirements for highly regulated industries (e.g. government, financial services, healthcare etc.) it can also be implemented and used by any firm concerned with or seeking a tangible way to measure their cybersecurity posture.
NIST Cybersecurity Framework Version 1.1
Published on April 16, 2018, NIST CSF Version 1.1 is the first revision to the framework since it was released. In total, 10 additional sub-categories were added (for a total of 108 sub-categories).
From a high level, version 1.1 includes updates to:
- Authentication and Identity
- Self-assessing cybersecurity risk
- Managing cybersecurity within the supply chain
- Vulnerability disclosure
As part of the updates, NIST inserted a list of changes which can be found on page ii of the framework. I’ve highlighted some of the impact from these changes below:
- “Detail of major Changes. Clarified that terms like “compliance” can be confusing and mean something very different to various Framework stakeholders. Added clarity that the Framework has utility as a structure and language for organizing and expressing compliance with an organization’s own cybersecurity requirements. However, the variety of ways in which the Framework can be used by an organization means that phrases like “compliance with the Framework” can be confusing.”
Impact – While straightforward, this update goes a long way to help streamline the implementation of the NCF. NCF can be leveraged as a framework to allow firms to present compliance (or non-compliance) with their own organizationally defined cybersecurity requirements (which may be informed by industry-specific regulatory requirements). The CSF’s primary purpose is not regulatory compliance (e.g. 23 NYCRR 500, NIST 800-53, HIPAA Security rule, etc.) and “compliance” with NCF should not be interpreted as compliance with any specific regulatory mandate.
- “Added a new section on self-assessment. Added Section 4.0 Self-Assessing Cybersecurity Risk with the Framework to explain how the Framework can be used by organizations to understand and assess their cybersecurity risk, including the use of measurements.”
Impact – NuHarbor Security has always recommended self-assessment to address organizational risk and compliance. A common challenge that keeps many organizations from getting started with self-assessments is a lack of internal resources. The updated version of the CSF contains an addition of more explicit self-assessment guidance that should enable even more organizations to begin effectively leveraging the framework.
- “Greatly expanded explanation of using Framework for Cyber Supply Chain Risk Management purposes. An expanded Section 3.3 Communicating Cybersecurity Requirements with Stakeholders helps users better understand Cyber Supply Chain Risk Management (SCRM), while a new Section 3.4 Buying Decisions highlights use of the Framework in understanding risk associated with commercial off-the-shelf products and services. Additional Cyber SCRM criteria were added to the Implementation Tiers. Finally, a Supply Chain Risk Management Category, including multiple Subcategories, has been added to the Framework Core.”
Impact – These enhancements all relate to the cyber supply chain, an area that many firms take for granted by assuming suppliers follow good security practice. While not a huge change, these updates should make it easier to implement controls to address cyber supply chain risks.
- “Refinements to better account for authentication, authorization, and identity proofing. The language of the Access Control Category has been refined to better account for authentication, authorization, and identity proofing. This included adding one Subcategory each for Authentication and Identity Proofing. Also, the Category has been renamed to Identity Management and Access Control (PR.AC) to better represent the scope of the Category and corresponding Subcategories.”
Impact – These changes are mostly form (vs substance) and should make discussion related to the Access Control category more straightforward as the sub-categories are more explicit.
- “Better explanation of the relationship between Implementation Tiers and Profiles. Added language to Section 3.2 Establishing or Improving a Cybersecurity Program on using Framework Tiers in Framework implementation. Added language to Framework Tiers to reflect integration of Framework considerations within organizational risk management programs. The Framework Tier concepts were also refined. Updated Figure 2.0 to include actions from the Framework Tiers.”
Impact – One of the most common causes for confusion with the framework are implementation tiers vs profiles. A tier is the degree or level of sophistication a firm has decided to dedicate to cybersecurity risk management. They help to determine the extent to which cybersecurity risk management is informed by business needs and set the tone for how cybersecurity risk will be managed within the organization. In contrast, a profile can be thought of a score card, factoring in how aligned the functions, categories, and associated sub-categories presented in the framework are with the business requirements, risk tolerance, and resources of the organization. A current profiles can be assessed and then compared to target profile to help identify gaps and prioritize action plans to address them. These enhancements should make this delineation more intuitive.
- “Consideration of Coordinated Vulnerability Disclosure. A Subcategory related to the vulnerability disclosure lifecycle was added.”
Impact – At face value, this is another straightforward change, however, what good is receiving notifications/disclosures of vulnerabilities if no process is in place to address them? While this may seem intuitive, the addition of this category will help ensure enough resources can be applied to receiving and addressing vulnerabilities from disclosure notifications.
While the changes to the framework are not revolutionary, they continue to strengthen the NIST CSF as the framework of choice for cybersecurity. Whether you are looking to implement the NIST CSF for the first time, or have adopted the framework years ago, there’s no reason not to start leveraging the latest version of the framework going forward.
Interested in a cybersecurity assessment? We offer customized assessment services against various frameworks. For information on our NIST Cybersecurity Framework assessment services, click here. For information on our NIST 800-53 assessment services, click here.
If you want to check out the source document, you can access the NIST Cybersecurity Framework Draft 1.1 here.