NIST Cybersecurity Framework 2.0: What’s New?
Cybersecurity Frameworks Series, part 3
With the NIST releasing CSF 2.0, the first update since its inception in 2014, the intentions were a) to expand the standard beyond the scope of critical infrastructure companies and b) to realign the standard to address key gaps in the control set. It has become obvious that the standard itself aged ungracefully due to the significant number of successful cyberattacks occurring over the past decade. This update introduces additional business scope and responsibility to manage and reduce risk in an organization more thoroughly. NIST has also expanded its core guidance and resources available to help companies achieve their goals associated with the actual standard with a focus on governance and supply chain oversight.
What are those big changes?
First, CSF has incorporated a new domain: governance. The new domain elevates governing and supporting tasks that were originally incorporated in the introduction and controls of the five original domains of the prior CSF. This expands risk management oversight and compliance management, enhances accountability of the CISO, improves alignment with business, elaborates on the definition of a breach, and clarifies requirements on reporting.
Second, there is a renewed focus on software and vendor security activities, “Supply Chain”, and self-contained technology (internet of things “IoT”). This focus existed in the prior versions but, over past decade, these elements have become key challenges to maintaining secure environments. There is intentional focus on tightening controls and insight into the complex activity of development, data protection, and integrated capabilities with third parties.
The third, and final, theme is renewed focus on defensive security technology management and operational procedures to improve vulnerability threat management, incident response, and recovery (not just detection). This incorporates enhanced technology, designs assessment, insight management, threat management, and ongoing breach mitigation assessments to verify defensibility in a programmatic way.
With these 2.0 enhancements, businesses will need to review and update their policies and procedures, align technical requirements to operating service capabilities, and review roles and responsibilities in-house and with external partners to adjust accountability and delivery quality. In many organizations, these enhancements may require both internal assistance and external partnerships throughout the business and technology teams.
And the specific changes?
A breakdown of some of the more tactical changes has been included below in a consolidated list of critical tasks:
Clarify and define cybersecurity to the business itself for stronger oversight, accountability, and reporting.
Gain clarity on lines of separation of duties (Operate, Risk/Govern, Audit) to improve confidence.
Define the requirement to report a significant breach within 4 days through proper channels.
Clearly define what is Risk, a Breach, and “Significant Breach” for the organization.
Emphasize defining the cybersecurity services model.
Leverage more proactive data protection tactics related to inventory, discovery and management of systems and data.
Expand the definition of dependency management to the organization by reviewing supply chain and risk analysis of what is being supplied to organization (Data, Management, Transformation, Software, etc.).
Expand threat intelligence, event detection and respond/recovery cybersecurity management and operating functions.
Better document and proactively manage technology resiliency and trust boundaries with vendors, risky employees, and systems.
Improve integration of systems and event data as part of the normal technology lifecycle.
Expand third party management into all aspects of business partnering.
Expand continuous monitoring with more self-assessment and management reporting.
So What: What do these new features mean to those aligned to prior versions?
This is an appreciable update that will require a brief gap analysis of how practices in cybersecurity, that may not have been documented or aligned within prior CSF version, can now align, in conjunction with understanding the Tiered maturity goals of those capabilities/services.
Most public reporting organizations we work or chat with have already worked hard at the larger lens of cybersecurity practices already, meaning they have already tackled a lot of the new requirements even though they are not in the CSF v1.1. Being in this stronger position already, make this a less taxing effort as most organizations have regulatory requirements, emerging technology frameworks or industry specific compliance requirement such as medical devices, energy sectors, credit cards, or external forces pushing the needs. So, there is a good chance most organizations align in the day to day, and this is a potentially a governance maturation and alignment exercise.
How about for those who have not used a cybersecurity standard in their organization. How long does it take, what are the key activities, what do you prioritize?
Like any business initiative you need to establish a goal of transformation of the business as this typically forces complex discussions. There will ultimately be a set of tasks to accomplish such a monumental undertaking. To step the basic strategy:
Understand and select a cybersecurity framework (CSF 2.0 in this scenario) target that fits your industry/regulatory requirements.
Assess your current state against the standard to determine what you may in place.
Create action plans to establish cybersecurity pillars for the organization, technology goals, people goals, and process goals.
Set organization roadmap with goals and objectives to accomplish the gaps.
Set risk terminology, maturity states for the roadmap and action plan.
Create or incorporate governance to a leadership team that will maintain sponsorship, organization resolve, measure, and report on progress, and enable teams to successful transform the environment.
Implement technology and security practices for management and reportability.
Iteratively improve the governing and operating environment.
Achieving this undertaking is not a small task and organizational leaders should anticipate 12 to 18 months of effort, with a few specific maturity goals that are beyond the 18 months.
What are the benefits of this new standard?
The biggest benefit is the continued expansion of what cybersecurity means. Education and awareness are the hardest aspects of cybersecurity. As a business owner, salesman, product manager, call rep, or accountant, this standard is talking at a more consumable level where everyone can add value. This demystification of cybersecurity with these newer standards continues to expose complicated topics in simpler terms.
As a regular technology user, manager, or leader, how do I support the cause without having a huge impact on my teams?
Maintain a commonsense user, data, and process management space. If you know what roles you have on the team, what data or applications are required, and which key business processes are being supported, you’ve answered the hardest part.
Maintain a touchpoint with your cybersecurity leaders (managers, directors, etc) and keep them updated on what your team or business process is doing and what changes may be coming up in the next 6-12 months.
Review how you and your team interfaces with cybersecurity in case there ever is a need to engage.
More specifically to a technology team, while you operate your own technology standards and practices, provide cybersecurity with access to data outputs, design and deploy technology, running guidelines, and ticketing and reporting systems. There will be scenarios where technologies overlap, intersect, and work in conjunction with each other.
Stay tuned for the next installment of the Security Frameworks Blog Series where we do a deep-dive into the new domain: govern.
Previous Blog:
Cybersecurity Frameworks Series part 2, Introduction to the NIST Cybersecurity Framework
Next Blog:
Cybersecurity Frameworks Series part 4, NIST 2.0: Govern