Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

12/6/2017
06:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

NIST Releases New Cybersecurity Framework Draft

Updated version includes changes to some existing guidelines - and adds some new ones.

The National Institute of Standards and Technology (NIST) has released the second draft of a proposed update to the national Cybersecurity Framework of 2014.

The draft document contains important changes to some existing guidelines, especially around self-assessment of cybersecurity risk, and introduces some new ones pertaining to authorization, authentication, identity proofing, and vulnerability disclosure.  

NIST also released a proposed update to its Roadmap for Improving Critical Infrastructure Security that describes planned future activities and topics to focus on for upcoming versions of the framework.

The changes and refinements reflect feedback and comments from public and private sector stakeholders to an earlier draft update to the Cybersecurity Framework that NIST released in January 2017. NIST will make draft 2 of the Framework open for public comment through close of day January 19, 2018 and will likely go live with the changes shortly after.

"NIST is hoping Framework version 1.1 will lead to a greater consideration of supply chain risk management [SCRM], cybersecurity within SCRM, and application of [the] Framework for that cybersecurity," says Matt Barrett, NIST’s lead on the framework.

The hope also is that the new self-assessment section and related topics in the Roadmap such as Governance and Enterprise Risk Management will prepare stakeholders for a discussion on how to better align cybersecurity measures to support business outcomes and decisions, he says.

NIST developed the Framework as required by the Cybersecurity Enhancement Act of 2014. It is designed to provide a formal framework for managing cyber risk in critical infrastructure organizations. The goal is to provide organizations in critical infrastructure with guidance on the processes, practices, and controls they can use to manage cyber risk in line with their business imperatives.

The Cybersecurity Framework establishes a common language for security models, practices, and controls across industries. At a high-level, the framework provides guidance on how organizations can identify, protect, detect, respond to, and recover from, cyber threats. It offers a tiered set of implementation practices that organizations can choose from to deploy and manage these capabilities. The methods, processes, and controls in the framework are based on globally accepted best practices and standards.

Mandatory for the Feds 

Until recently, adherence to the Framework was purely voluntary for everyone. But the Trump Administration's Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure in May has now made it mandatory for federal agencies, Barrett says. The order required agency heads to provide a risk management report to the White House Office of Management and Budget describing their plans to implement the Framework, he says. Originally designed for use by operators and owners of critical infrastructure, the Framework has become a de facto standard for developing and implementing cyber-risk management practices at organizations across all sectors.

The new version clarifies some of the language around cybersecurity measurement and provides more guidance on managing cybersecurity within the supply chain — an issue that has become critical in recent years. It also explains how the framework can be used to mitigate risk in the Internet of Things (IoT), operational technology and cyber-physical systems environments. In addition, NIST's updated Cybersecurity Framework makes some refinements to the identity and access management control category to accommodate changing requirements around authentication, authorization, and identity vetting.

"The NIST updates are meant to be a dynamic, working document," says Edgard Capdevielle, CEO of Nozomi Networks. "[They] cover a lengthy list of topics from confidence mechanisms, cyberattack lifecycles, beefing up the cybersecurity workforce, to reviewing supply chain risk management along with governance and enterprise risk management."

While critical infrastructures cannot adapt to all prescriptive guidance overnight, the framework serves as a good roadmap to start implementation of best practices, collaboration, and new security technologies, he says. 

"With Draft 2 of Version 1.1, I expect critical infrastructure operators and federal agencies to focus more closely on supply chain, especially as weak links there have contributed to several well-known data breaches," says Robert Vescio, managing director at Secure Systems Innovation Corporation (SSIC). "To reduce the impact of cyber incidents, it is crucial that each and every organization understands its role within the larger ecosystem, and actively contributes to proactively address emerging threats."

Vescio believes that while most organizations can benefit from the framework, adoption should remain voluntary. A forced adoption would destroy the concept of each organization tailoring security strategies to their risk appetite and lead to spending on irrelevant controls, he says.

"NIST CSF should be important to everyone," he says.  "Implemented correctly, [it] can help organizations evolve, while maintaining or working toward a pre-selected risk posture."

 

Q&A: Matt Barrett, NIST's Lead on the CyberSecurity Framework

(Excerpts from a Dark Reading email interview with Matt Barrett)

Q. What are the most significant changes in this draft?

Firstly, Section 4.0, previously entitled Measuring and Demonstrating Cybersecurity, has been reframed as Self-Assessing Cybersecurity Risk with the Framework to better emphasize how organizations might use the Framework to measure their risk. In acknowledgement of the wide variety of stakeholder perspectives on cybersecurity measurement and the need for a stakeholder dialog on the topic, the section was summarized and refined and NIST officially acknowledged Measuring Cybersecurity as an item on the Roadmap to Improving Critical Infrastructure Cybersecurity.

NIST clarified the use of the Framework to manage cybersecurity within supply chains by refining Section 3.3 Communicating Cybersecurity Requirements with Stakeholders. This included a simpler description of the parties involved in an organizations supply chain. We also further integrated cyber supply chain risk management language into the Implementation Tiers. This will better enable organizations to determine their current status and desired state with regard to cyber supply chain risk management practices.

We added a few Subcategories to account for authentication and coordinated vulnerability disclosure.

Q. Are federal agencies/critical infrastructure operators required to adopt the framework?

Yes. On May 11, 2017, the President issued Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Among other things, the order states that “each agency head shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the date of this order” and “describe the agency's action plan to implement the Framework.”

NIST issued draft report NIST Interagency Report (IR) 8170 to support agency heads and senior cybersecurity leadership in Framework implementation planning. The draft summarizes eight private sector uses of the Framework, which may be applicable for federal agencies. By leveraging NISTIR 8170, agencies can better understand how to implement the Framework in conjunction with other NIST cybersecurity risk management standards and guidelines.

Q. Going forward, do you expect agencies/CI operators to be assessed against their adherence or failure to adhere to the framework?

With increasing use of Framework, this topic increasingly comes up. Whether it will or won’t, NIST doesn’t have charter to control such things, nor latitude to comment. However, I will offer this up.

Given the increasing dependence of organizations on technology, digital trust is an increasingly important topic. In other words, not only does an organization need to manage their cybersecurity risk, but they also need to communicate it in various forms to suppliers, partners, customers, auditors, and regulators. Framework provides a basis for a standardized communication – increasing and organizations efficiency and reducing the chances of miscommunication – and it also provides the high-level methods of determining cybersecurity state, deciding desired state, and planning the improvements necessary to achieve the desired state. 

Organizations may elect to use Framework to self-assess cybersecurity risk and communicate judiciously with others. They may also enlist external parties to assess cybersecurity risk. For this reason, NIST continues to encourage and support private sector in evaluating and implementing Framework confidence mechanisms.

Q. How should organizations use the framework?

There are many ways to use Framework and all the varied uses have a value.Out-of-the-box and without alteration, Framework offers a common and accessible vocabulary for cybersecurity risk management. In its simplest form, that vocabulary is Identity, Protect, Detect, Respond, and Recover. This allows people who are not cybersecurity experts to participate in the cybersecurity dialog. 

The Framework is also meant to be customized for a given sector, subsector, or organization.  That customization ultimately means some form of prioritization. 

Framework has some native methods of customizing and prioritizing. For instance, Framework Profiles help an organization determine and communicate the outcomes that are most important for a given set of circumstances, whether those circumstances are derived from the technical environment, cybersecurity requirements such as law and regulation, or desired organizational objectives. Similarly, the Implementation Tiers of Framework help and organization decide how they would like to manage cybersecurity risk for a given part of the organization. 

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
mikeroch
50%
50%
mikeroch,
User Rank: Apprentice
12/7/2017 | 2:02:36 AM
NIST for 192.168.l.l
Hello Vijayan sir, I have been long-term fan of the NIST and I always try to implement what they bring in my company. And again I welcome this new innovation from NIST. Thanks for the article and information on DR.
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14994
PUBLISHED: 2019-09-19
The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before version 3.9.16, from version 3.10.0 before version 3.16.8, from version 4.0.0 before version 4.1.3, from version 4.2.0 before version 4.2.5, from version 4.3.0 before version 4.3.4, and version...
CVE-2019-15000
PUBLISHED: 2019-09-19
The commit diff rest endpoint in Bitbucket Server and Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6....
CVE-2019-15001
PUBLISHED: 2019-09-19
The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.1.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0 before 8.4.1 allows remote attackers with Administrator permissions to gain rem...
CVE-2019-16398
PUBLISHED: 2019-09-19
On Keeper K5 20.1.0.25 and 20.1.0.63 devices, remote code execution can occur by inserting an SD card containing a file named zskj_script_run.sh that executes a reverse shell.
CVE-2019-11779
PUBLISHED: 2019-09-19
In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.