NIST Updated Its Cybersecurity Framework. What Does That Mean for Agencies?

What’s New in NIST's Cyber Framework?

While the original framework does an “excellent” job of establishing what must be included in a security operations program, it required updates for clarity and modernization that are included in version 2.0, says Ken Dunham, cyberthreat director at Qualys’s Threat Research Unit.

“Based on how frameworks are designed and deployed, what is core to a SecOps program does not change quickly over time,” Dunham says. “But there is a need over a period of years to improve clarity, alignment and modernization.”

Version 2.0 represents an appropriate change management control to upgrade a stable and strong cybersecurity framework, he adds.

When policies better define or set clear thresholds for what passes a benchmark, there is a greater understanding of how to determine what security controls or criteria must be implemented to meet that baseline, says Alice Fakir, federal cybersecurity services partner at IBM.

“There’s a strong focus on timeliness and reporting as part of the framework update,” Fakir says. “This updated framework is calling for better awareness and improvement of security controls around supply chain and third-party risk, but adding that layer of communication is critical.”

Adding a Suite of Cyber Resources

NIST created a holistic approach in version 2.0 based on the principles of identify, protect, detect, respond and recover, says Jason Porter, CTO of Optiv + ClearShark.

“NIST provided this to demonstrate that the framework starts at your core and builds out from there,” Porter says.

For example, the Cybersecurity and Privacy Reference Tool features an interconnected repository of NIST guidance documents providing contextualization of these resources, including the framework, alongside other widely used references. The CPRT also facilitates communication of these concepts to both technical experts and executive leadership with the goal of fostering organizational coordination across all levels.

Quick-start guides are tailored to various user profiles including small businesses, enterprise risk managers and organizations aiming to enhance supply chain security.

DISCOVER: Agencies are considering fresh zero-trust security use cases.

The new CSF 2.0 Reference Tool is designed to streamline implementation by enabling users to browse, search and export data and details from the core guidance in both human-readable and machine-readable formats, Fakir says. The tool also includes a searchable catalog of references, enabling cross-referencing of current actions with the framework’s guidance and more than 50 other cybersecurity documents, including NIST’s Special Publication 800-53 Revision 5.

Version 2.0’s creation of more than a dozen community profiles is designed to give organizations within the same sector shared goals and outcomes as they face similar challenges, says Steve Vetter, senior global government strategist for Cisco.

“This has started a conversation, a sharing of data and a sharing of thoughts, ideas and approaches that are so critical overall,” Vetter says. “These profiles are now packaged in a way that that makes it much easier to determine your current state and where you want to get to. That is going to be very helpful.”

Emphasizing Cyber Governance to Improve Strategic Planning

The framework puts a strong emphasis on governance through a function called Govern, highlighting cybersecurity as a significant enterprise risk that senior leaders should consider alongside finances and reputation when making and implementing strategic decisions.

“This puts a direct emphasis on the integration of cybersecurity into overall organizational governance,” Porter says. “It provides a roadmap for strategic planning through to developing a security-minded culture that spans across your workforce.” 

The focus on governance is a critical difference in version 2.0, Vetter says.

“The criticality of government leadership to drive the investment so necessary for success is absolutely essential,” Vetter says. “It’s a cross-cutting feature that now works on all of the functions. It’s not just in a couple of them; it’s in all of them.”

LEARN MORE: Agencies can take these four steps to secure systems after the CISA breach.

This pervasiveness helps to determine what the priorities are and to understand risk tolerances, decisions that are made at the leadership level, he adds.

“You can’t decide at a junior level what the risk tolerances are of agency X, Y, Z; you need leadership engaged,” Vetter says. “You need ways to accurately assess what the cyber risks are, what the impacts are. If that risk is then actuated, what needs to be done to establish enterprise policies across the environment?”

The appendix of CSF Core provides a breakdown of each principle and lays out the governance structure with reference to version 2.0 for implementation examples and recommendations.

“These resources provide an easy mapping of how organizations can implement tools, processes and governance to achieve their security goals,” Porter says.

Increasing Supply Chain Dependencies Require Greater Security

The supply chain and increased dependency on third parties in shared computing models is a growing risk, as evidenced in thousands of breaches to date.

CSF 2.0 relies on cybersecurity supply chain risk management to add controls addressing these concerns. C-SCRM is a systematic process for managing exposure via the supply chain, understanding organizational context, assigning roles and responsibilities, risk management, continuous monitoring, and incident response. 

The enhanced focus on the supply chain is significant, as data has become a critical asset in today’s technology market, Porter says.

“In accounting for the impact of what technology does for government and industry in managing information, data is the commodity that needs the most protection,” Porter says. “Without the data, applications don’t run, people can’t make decisions, information doesn’t flow and essentially our economies of government and industry stop moving.”

Understanding the supply chain of each and providing traceability of what, when and where IT assets have been built, touched, traveled or used is critical, he adds.

RELATED: Agencies are adapting their data security plans as volume grows.

“NIST is providing key elements of how supply chain security should be enacted and what the triggers are to identify risk in the supply chain of technology,” Porter says.

The framework is asking for very specific supply chain activities, such as standing up supply chain risk programs and having a comprehensive, integrated risk management program. Additionally, the guidance includes new steps for making sure that agencies are effectively communicating information about those programs and managing profiles of the actual supply chain risk controls.

“It’s providing a broader set of activities that are required so that you can manage your third-party engagement, whereas before it was a very myopic view of managing security of an application that sits within a specific environment,” Fakir says.

The previous guidance was not so concerned with collateral risk or the impacts to integrated systems, which could enhance vulnerabilities simply by being connected via an application programming interface.

“What’s so significant about this new update to the risk management framework is a bigger focus on third-party risk management and supply chain risk management,” Fakir says.

MORE FROM FEDTECH: Why content disarm and reconstruction secures cloud migrations.