Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Training

3/26/2019
07:00 AM
Joe Stanganelli
Joe Stanganelli
Joe Stanganelli
50%
50%

5 Years of the NIST Cybersecurity Framework

With NIST celebrating the five-year anniversary of its widely adopted and recommended Cybersecurity Framework just last month, a look back over the years illustrates how far the Framework has come.

Last month, the NIST Cybersecurity Framework celebrated its five-year anniversary.

In February 2013, then-President Barack Obama ordered the National Institute of Science and Technology (NIST) to develop a voluntary framework for cybersecurity.

"The Cybersecurity Framework shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk," dictates the pursuant executive order.

Twelve months later, NIST released the original version of the NIST Cybersecurity Framework, then titled "Framework for Improving Critical Infrastructure Security."

Beyond critical infrastructureIndeed, the executive order mandating the creation of the Framework specified that the Framework be developed "to reduce cyber risks to critical infrastructure" -- but the Framework has evolved substantially since then. It has been adopted far beyond the realm of critical infrastructure, across myriad industries -- particularly as cyber-insurance carriers have all but required clients to follow the Framework as a condition of coverage. The year after NIST released its Framework, Gartner reported that it was then already in use in more than 30% of US organizations.

"Since its initial release in February 2014, we've seen extensive use of the Framework by diverse companies, sectors, governments, and other organizations," Kevin Stine, chief of the Applied Cybersecurity Division in NIST's Information Technology Lab, told Security Now. "Because the Framework offers a flexible approach that is anchored in the principle of risk management, it can be extended and interpreted to meet the business objectives of an organization -- whatever its priorities."

What's more, NIST has seen its Framework extend its guidance beyond US borders. The agency reports that several other sovereignties -- including Bermuda, Israel, Italy and Japan -- have adopted their own adaptations of the Framework.

Back in the US, the Framework, although voluntary, has taken the effect of "pseudo-law" in some cases. Federal regulatory agencies -- notably including the FTC as well as numerous bodies regulating the financial sector -- have held those it investigates to the Framework's standards when determining data-protection adequacy. Other agencies have made Framework compliance mandatory for their government contractors.

"For financial services companies, the NIST Framework seems to restate many best practices that financial services companies adhere to in their general risk management programs," Sean Mahoney, Northern Bank's General Counsel, told Security Now. "For companies in other industries, the framework is designed to address a cybersecurity program at various states of maturity."

Making security frameworks accessibleTo this end, the heart of the Framework relies on identifying, defining and tying international standards to each of five cyclical functions:

  • Identify [threats],
  • Protect [against threats],
  • Detect [intrusions/incidents],
  • Respond [to incidents], and
  • Recover [from incidents].

In this respect, the Framework is both an aggregator of several widely accepted best practices and a translator to allow for better, Framework-tied communication between the IT elite and lay decision-makers in the organization. To better aid in this, NIST has worked on making the Framework more accessible to organizations of all types and sizes through additional documentation, as well as direct engagement with the private sector and NGOs.

Small businesses, in particular, have drawn special attention because of their special needs. In November 2016, NIST released a guide for small businesses on using principles from the Framework to improve their cybersecurity. More recently, this very month, NIST announced that its "Small Business Cybersecurity Corner" had gone live online as an additional resource to organizations wading their way through cyber-risk management.

"NIST is committed to an open and transparent private-public partnership," said Stine. "NIST has continuously worked with all stakeholders to understand current and future challenges in the cybersecurity space through requests for information, workshops and other engagement methods."

Framework updatesAbout four months ago, for instance, NIST held a workshop on managing cybersecurity risk as, in Stine's words, "an opportunity for NIST to hear from industry [and] academia, as well as national and international collaborators, on current challenges and opportunities in the space." According to Stine, the discussion from this workshop will inform updates to further NIST guidance related to the Framework. And, to be clear, NIST and its spokespeople (including Stine in his recent comments to Security Now) have long made clear that the Framework represents "a living document" that must adjust to the ever-changing world of cyber threats and risk mitigations.

Even so, the Framework -- particularly with its first actual update (dubbed "version 1.1") last year -- seems to have withstood the test of time as a superior option even to many security frameworks developed in house. (See Digital Transformation With IoT: Assessing Risk Through Standards & Visibility.)

"This update included increased treatment of supply-chain risk management, authentication, coordinated vulnerability disclosure, and other concepts in the Framework Core," elaborated Stine. "Additionally, the Framework Implementation Tiers were enhanced to provide more guidance to organizations in the execution of a cybersecurity risk management program."

Related posts:

—Joe Stanganelli is managing director at research and consulting firm Blackwood King LC. In addition to being an attorney and consultant, he has spent several years analyzing and writing about business and technology trends. Follow him on Twitter at @JoeStanganelli.

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-18112
PUBLISHED: 2020-08-05
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.
CVE-2020-15109
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipm...
CVE-2020-16847
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before 8.5.0.169 allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
CVE-2020-15135
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...
CVE-2020-13522
PUBLISHED: 2020-08-04
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability.