The Cybersecurity Framework (CSF) by the National Institute of Standards and Technology (NIST) is undergoing a significant update. Initially launched in 2014, the NIST CSF has become one of the most extensively used cybersecurity frameworks, helping organizations in understanding and controlling cybersecurity vulnerabilities. NIST has modernized their framework with their release of CSF 2.0, to harmonize with the latest trends and practices in cybersecurity.
Govern Pillar Update:
NIST CSF is known for the main five pillars of: Identify, Protect, Detect, Respond, and Recover. As a part of its 2.0 update, NIST is contemplating the integration of a sixth pillar, Govern. NIST’s intention behind introducing the Govern function is to highlight the importance of “organization’s cybersecurity risk management strategy, expectations, and policy”. [1]
Initial thoughts on the Govern Pillar:
The incorporation of the “Govern” function introduces a framework for structuring cybersecurity strategies that align directly with business objectives. Through the establishment of well-defined goals, objectives, and policies that govern the entirety of the cybersecurity program, a deliberate effort is made to ensure harmony with the organization’s overarching business goals. This inclusive approach integrates the business dimension, enabling businesses to proficiently manage risks in order to protect their assets, maintain their reputation, and sustain operations, even in the midst of constantly evolving threats.
Within the CSF, I believe that the inclusion of the Govern pillar entails aligning cybersecurity strategic plans with business objectives through the following means:
Increased Accountability. By assigning roles and responsibilities across different levels, it designates accountability for decision-making, risk assessment, and compliance with cybersecurity policies and regulations.
Compliance. There is an alignment with incorporating relevant standards, regulations, and best practices to demonstrate compliance with legal and regulatory requirements. This allows organizations to maintain a consistent level of cybersecurity across the industry.
Incident Response. Enhancement of crisis management to ensures that the organization has a well-defined plan to minimize the impact of incidents and recover quicky.
Improvement. Govern embraces a culture of continuous improvement. With the regular assessments, audits, and reviews to identify areas for enhancement and adjustment.
Risk Management. Organizations identify, assess, and prioritize cybersecurity risks based on their potential impact and likelihood, and then implement appropriate mitigation strategies.
Policy Incorporations. With defined policies, procedures, and controls, organization can address specific risks that are consistent with industry and the best practices and regulatory requirements.
Resource allocation. Maintaining an organization that has the necessary tools and personnel to effectively manage cybersecurity risks.
Increased Communication. Embeds communication between technical and non-technical stakeholders, to ensure cybersecurity matters are effectively communicated, therefore,relevant metrics and reports are provided to enable informed decision-making.
Overall Thoughts on the 2.0 Update
The significance of updating the NIST CSF is rooted in its capacity to reflect the latest advancements in cybersecurity knowledge and practices. The CFT 2.0 update ensures that the framework remains an effective and relevant tool, providing organizations with current insights and strategies to safeguard against emerging threats, thus promoting heightened resilience and proactive cybersecurity measures.
There is an enhanced focus on supply chain risk, which is rooted in the critical role that supply chains play in today’s interconnected business environment. Addressing supply chain risk within the framework recognizes the potential vulnerabilities and threats that can emerge from third-party vendors and partners that can enhance organizational cybersecurity.
While the NIST CSF doesn’t have a direct focus on global political conflicts, its underlying principles and best practices play a substantial role in the overall cybersecurity readiness of both organizations and nations.The CSF’s importance lies in its emphasis on improving cybersecurity practices and resilience across sectors, surrounding critical infrastructures, government entities, and private enterprises. This, in turn, enhances their ability to mitigate risks and respond effectively to cyber threats that might arise during times of international tensions.
NIST encourages feedback on the new CFT. Below were my submitted suggestions:
|
Section |
Location |
Suggestion |
|
Govern |
GV.OC-02: Internal and external stakeholders are determined, and their needs and expectations regarding cybersecurity risk management are understood |
Wording changes to add clarity in identifying and defining stakeholders and expectations. Proposed change: Internal and external stakeholders are identified, and their needs and expectations regarding cybersecurity risk management are defined. |
|
Govern |
GV.RM: The organization’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions (formerly ID.RM) |
Assumptions should not be defined, rather expectations should be. Proposed change: The organization’s priorities, constraints, risk tolerance and appetite statements, and expectations are established, communicated, and used to support operational risk decisions. |
|
Govern |
GV.RM-07: Strategic opportunities (i.e., positive risks) are identified and included in organizational cybersecurity risk discussions |
The term positive risks does not need to be defined, it creates a detraction of importance with other strategic opportunities . |
|
Govern |
GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships |
Due diligence is vague, consider defining the expectations for this. |
|
Govern |
GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement |
Consider expanding plans to include all stages of partnership not just after events. |
|
Govern |
GV.RR-02: Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced (formerly ID.AM-06, ID.GV-02, DE.DP-01) |
Should include roles and responsibilities being continuously reviewed against the organization’s focus. |
|
Govern |
GV.RR-03: Adequate resources are allocated commensurate with cybersecurity risk strategy, roles and responsibilities, and policies |
Stating “adequate” resources is unnecessary when adequate is not defined. |
|
Identify |
ID.AM-01 / ID.AM-02 ID.AM-01: Inventories of hardware managed by the organization are maintained ID.AM-02: Inventories of software, services, and systems managed by the organization are maintained |
Consider being inclusive of all assets managed outside the organization, while impacting the organization. |
|
Identify |
ID.AM-03: Representations of the organization’s authorized network communication and internal and external network data flows are maintained (formerly ID.AM-03, DE.AE-01) |
The organization’s approved network communication should encompass both internal and external channels. Avoiding the separation of network data flows based on the type of communication is recommended. |
|
Identify |
ID.AM-04: Inventories of services provided by suppliers are maintained |
Services and assets should be included for inventories. |
|
Identify |
ID.AM-07: Inventories of data and corresponding metadata for designated data types are maintained |
Does the inclusion of metadata data include the logs designated to the data types? |
|
Identify |
ID.RA-01 / ID.RA-02 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded ID.RA-02: Cyber threat intelligence is received from information sharing forums and sources |
The categories should encompass the requirement not only to receive cyber threat intelligence but also to seamlessly integrate it into the organization’s risk management procedures. Additionally, the categories should outline actionable measures involving vulnerabilities in assets that need enhancement. |
|
Identify |
ID.RA-06: Risk responses are chosen from the available options, prioritized, planned, tracked, and communicated |
Consider adding a section to address lessons learned from an incident to increase security. |
|
Identify |
ID.IM-04: Cybersecurity plans that affect operations are communicated, maintained, and improved (formerly PR.IP-09) |
Expand to all cybersecurity plans, rather than those that only affect operations. |
|
Protect |
PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization (formerly PR.AC-01) |
There should also be constant protection for identities and credentials of authorized users. Proposed change: Identities and credentials for authorized users, services, and hardware are managed and protected by the organization. |
|
Protect |
Awareness and Training (PR.AT): The organization’s personnel are provided cybersecurity awareness and training so they can perform their cybersecurity-related tasks |
Organization’s personnel impacting cybersecurity should have defined roles and expectations in order to impose training. |
|
Protect |
PR.DS-01 / PR.DS-02 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected |
Consider moving PR.DS-10 under here for continuity as they are all correlated. |
|
Protect |
PR.DS-09: Data is managed throughout its life cycle, including destruction |
Singling out “destruction” is too descriptive and should be addressed in implementation examples. Destruction is included in the life cycle already. |
|
Protect |
PR.DS-11: Backups of data are created, protected, maintained, and tested |
Backups of data should also be verified. Consider incorporating “verified” into a category. |
|
Protect |
PR.PS-04: Log records are generated and made available for continuous monitoring |
Log records that are generated should not only be used for continuous monitoring, but also for proactive change for strength of the framework. |
|
Protect |
PR.PS-05: Installation and execution of unauthorized software are prevented |
For unauthorized software installation prevention – if software needs installation it is verified and added to the authorized list. |
|
Protect |
PR.IR-01: Networks and environments are protected from unauthorized logical access and usage |
Networks and environments should also be continuously protected from unauthorized logical access and usage. |
|
Detect |
DE.AE-02: Potentially adverse events are analyzed to better understand associated activities |
Adverse events narrows down the type of events that should be reviewed, when all impacting events should be reviewed. |
|
Detect |
DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis |
As cyber threat intelligence and other contextual information are integrated into the analysis, there should also be a proactive step included for cybersecurity protection. |
|
Detect |
DE.CM-01: Networks and network services are monitored to find potentially adverse events |
Not only to locate adverse events in the detect stage, but any event that may threaten the security of a system. |
|
Respond |
RS.AN-08: The incident’s magnitude is estimated and validated |
Incidents are not validated, rather they are irradiated and addressed for impact. |
|
Recover |
RC.RP-03: The integrity of backups and other restoration assets is verified before using them for restoration |
Integrity of backups and other restoration assets should be verified before storage too. |
Reference:
[1] National Institute of Standards and Technology. (2023). NIST Cybersecurity Framework 2.0 Core Discussion Draft [Draft]. https://www.nist.gov/system/files/documents/2023/04/24/NIST%20Cybersecurity%20Framework%202.0%20Core%20Discussion%20Draft%204-2023%20final.pdf