NIST Releases New Cybersecurity Framework DraftUpdated version includes changes to some existing guidelines - and adds some new ones.
The National Institute of Standards and Technology (NIST) has released the second draft of a proposed update to the national Cybersecurity Framework of 2014.
The draft document contains important changes to some existing guidelines, especially around self-assessment of cybersecurity risk, and introduces some new ones pertaining to authorization, authentication, identity proofing, and vulnerability disclosure.
NIST also released a proposed update to its Roadmap for Improving Critical Infrastructure Security that describes planned future activities and topics to focus on for upcoming versions of the framework.
The changes and refinements reflect feedback and comments from public and private sector stakeholders to an earlier draft update to the Cybersecurity Framework that NIST released in January 2017. NIST will make draft 2 of the Framework open for public comment through close of day January 19, 2018 and will likely go live with the changes shortly after.
"NIST is hoping Framework version 1.1 will lead to a greater consideration of supply chain risk management [SCRM], cybersecurity within SCRM, and application of [the] Framework for that cybersecurity," says Matt Barrett, NIST’s lead on the framework.
The hope also is that the new self-assessment section and related topics in the Roadmap such as Governance and Enterprise Risk Management will prepare stakeholders for a discussion on how to better align cybersecurity measures to support business outcomes and decisions, he says.
NIST developed the Framework as required by the Cybersecurity Enhancement Act of 2014. It is designed to provide a formal framework for managing cyber risk in critical infrastructure organizations. The goal is to provide organizations in critical infrastructure with guidance on the processes, practices, and controls they can use to manage cyber risk in line with their business imperatives.
The Cybersecurity Framework establishes a common language for security models, practices, and controls across industries. At a high-level, the framework provides guidance on how organizations can identify, protect, detect, respond to, and recover from, cyber threats. It offers a tiered set of implementation practices that organizations can choose from to deploy and manage these capabilities. The methods, processes, and controls in the framework are based on globally accepted best practices and standards.
Mandatory for the Feds
Until recently, adherence to the Framework was purely voluntary for everyone. But the Trump Administration's Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure in May has now made it mandatory for federal agencies, Barrett says. The order required agency heads to provide a risk management report to the White House Office of Management and Budget describing their plans to implement the Framework, he says. Originally designed for use by operators and owners of critical infrastructure, the Framework has become a de facto standard for developing and implementing cyber-risk management practices at organizations across all sectors.
The new version clarifies some of the language around cybersecurity measurement and provides more guidance on managing cybersecurity within the supply chain — an issue that has become critical in recent years. It also explains how the framework can be used to mitigate risk in the Internet of Things (IoT), operational technology and cyber-physical systems environments. In addition, NIST's updated Cybersecurity Framework makes some refinements to the identity and access management control category to accommodate changing requirements around authentication, authorization, and identity vetting.
"The NIST updates are meant to be a dynamic, working document," says Edgard Capdevielle, CEO of Nozomi Networks. "[They] cover a lengthy list of topics from confidence mechanisms, cyberattack lifecycles, beefing up the cybersecurity workforce, to reviewing supply chain risk management along with governance and enterprise risk management."
While critical infrastructures cannot adapt to all prescriptive guidance overnight, the framework serves as a good roadmap to start implementation of best practices, collaboration, and new security technologies, he says.
"With Draft 2 of Version 1.1, I expect critical infrastructure operators and federal agencies to focus more closely on supply chain, especially as weak links there have contributed to several well-known data breaches," says Robert Vescio, managing director at Secure Systems Innovation Corporation (SSIC). "To reduce the impact of cyber incidents, it is crucial that each and every organization understands its role within the larger ecosystem, and actively contributes to proactively address emerging threats."
Vescio believes that while most organizations can benefit from the framework, adoption should remain voluntary. A forced adoption would destroy the concept of each organization tailoring security strategies to their risk appetite and lead to spending on irrelevant controls, he says.
"NIST CSF should be important to everyone," he says. "Implemented correctly, [it] can help organizations evolve, while maintaining or working toward a pre-selected risk posture."
Q&A: Matt Barrett, NIST's Lead on the CyberSecurity Framework
(Excerpts from a Dark Reading email interview with Matt Barrett)
Q. What are the most significant changes in this draft?
Firstly, Section 4.0, previously entitled Measuring and Demonstrating Cybersecurity, has been reframed as Self-Assessing Cybersecurity Risk with the Framework to better emphasize how organizations might use the Framework to measure their risk. In acknowledgement of the wide variety of stakeholder perspectives on cybersecurity measurement and the need for a stakeholder dialog on the topic, the section was summarized and refined and NIST officially acknowledged Measuring Cybersecurity as an item on the Roadmap to Improving Critical Infrastructure Cybersecurity.
NIST clarified the use of the Framework to manage cybersecurity within supply chains by refining Section 3.3 Communicating Cybersecurity Requirements with Stakeholders. This included a simpler description of the parties involved in an organizations supply chain. We also further integrated cyber supply chain risk management language into the Implementation Tiers. This will better enable organizations to determine their current status and desired state with regard to cyber supply chain risk management practices.
We added a few Subcategories to account for authentication and coordinated vulnerability disclosure.
Q. Are federal agencies/critical infrastructure operators required to adopt the framework?
Yes. On May 11, 2017, the President issued Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Among other things, the order states that “each agency head shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the date of this order” and “describe the agency's action plan to implement the Framework.”
NIST issued draft report NIST Interagency Report (IR) 8170 to support agency heads and senior cybersecurity leadership in Framework implementation planning. The draft summarizes eight private sector uses of the Framework, which may be applicable for federal agencies. By leveraging NISTIR 8170, agencies can better understand how to implement the Framework in conjunction with other NIST cybersecurity risk management standards and guidelines.
Q. Going forward, do you expect agencies/CI operators to be assessed against their adherence or failure to adhere to the framework?
With increasing use of Framework, this topic increasingly comes up. Whether it will or won’t, NIST doesn’t have charter to control such things, nor latitude to comment. However, I will offer this up.
Given the increasing dependence of organizations on technology, digital trust is an increasingly important topic. In other words, not only does an organization need to manage their cybersecurity risk, but they also need to communicate it in various forms to suppliers, partners, customers, auditors, and regulators. Framework provides a basis for a standardized communication – increasing and organizations efficiency and reducing the chances of miscommunication – and it also provides the high-level methods of determining cybersecurity state, deciding desired state, and planning the improvements necessary to achieve the desired state.
Organizations may elect to use Framework to self-assess cybersecurity risk and communicate judiciously with others. They may also enlist external parties to assess cybersecurity risk. For this reason, NIST continues to encourage and support private sector in evaluating and implementing Framework confidence mechanisms.
Q. How should organizations use the framework?
There are many ways to use Framework and all the varied uses have a value.Out-of-the-box and without alteration, Framework offers a common and accessible vocabulary for cybersecurity risk management. In its simplest form, that vocabulary is Identity, Protect, Detect, Respond, and Recover. This allows people who are not cybersecurity experts to participate in the cybersecurity dialog.
The Framework is also meant to be customized for a given sector, subsector, or organization. That customization ultimately means some form of prioritization.
Framework has some native methods of customizing and prioritizing. For instance, Framework Profiles help an organization determine and communicate the outcomes that are most important for a given set of circumstances, whether those circumstances are derived from the technical environment, cybersecurity requirements such as law and regulation, or desired organizational objectives. Similarly, the Implementation Tiers of Framework help and organization decide how they would like to manage cybersecurity risk for a given part of the organization.
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio