With the NIST releasing CSF 2.0, the first update since its inception in 2014, the intentions were a) to expand the standard beyond the scope of critical infrastructure companies and b) to realign the standard to address key gaps in the control set. It has become obvious that the standard itself aged ungracefully due to the significant number of successful cyberattacks occurring over the past decade. This update introduces additional business scope and responsibility to manage and reduce risk in an organization more thoroughly. NIST has also expanded its core guidance and resources available to help companies achieve their goals associated with the actual standard with a focus on governance and supply chain oversight.
First, CSF has incorporated a new domain: governance. The new domain elevates governing and supporting tasks that were originally incorporated in the introduction and controls of the five original domains of the prior CSF. This expands risk management oversight and compliance management, enhances accountability of the CISO, improves alignment with business, elaborates on the definition of a breach, and clarifies requirements on reporting.
Second, there is a renewed focus on software and vendor security activities, “Supply Chain”, and self-contained technology (internet of things “IoT”). This focus existed in the prior versions but, over past decade, these elements have become key challenges to maintaining secure environments. There is intentional focus on tightening controls and insight into the complex activity of development, data protection, and integrated capabilities with third parties.
The third, and final, theme is renewed focus on defensive security technology management and operational procedures to improve vulnerability threat management, incident response, and recovery (not just detection). This incorporates enhanced technology, designs assessment, insight management, threat management, and ongoing breach mitigation assessments to verify defensibility in a programmatic way.
With these 2.0 enhancements, businesses will need to review and update their policies and procedures, align technical requirements to operating service capabilities, and review roles and responsibilities in-house and with external partners to adjust accountability and delivery quality. In many organizations, these enhancements may require both internal assistance and external partnerships throughout the business and technology teams.
A breakdown of some of the more tactical changes has been included below in a consolidated list of critical tasks:
This is an appreciable update that will require a brief gap analysis of how practices in cybersecurity, that may not have been documented or aligned within prior CSF version, can now align, in conjunction with understanding the Tiered maturity goals of those capabilities/services.
Most public reporting organizations we work or chat with have already worked hard at the larger lens of cybersecurity practices already, meaning they have already tackled a lot of the new requirements even though they are not in the CSF v1.1. Being in this stronger position already, make this a less taxing effort as most organizations have regulatory requirements, emerging technology frameworks or industry specific compliance requirement such as medical devices, energy sectors, credit cards, or external forces pushing the needs. So, there is a good chance most organizations align in the day to day, and this is a potentially a governance maturation and alignment exercise.
Like any business initiative you need to establish a goal of transformation of the business as this typically forces complex discussions. There will ultimately be a set of tasks to accomplish such a monumental undertaking. To step the basic strategy:
Achieving this undertaking is not a small task and organizational leaders should anticipate 12 to 18 months of effort, with a few specific maturity goals that are beyond the 18 months.
The biggest benefit is the continued expansion of what cybersecurity means. Education and awareness are the hardest aspects of cybersecurity. As a business owner, salesman, product manager, call rep, or accountant, this standard is talking at a more consumable level where everyone can add value. This demystification of cybersecurity with these newer standards continues to expose complicated topics in simpler terms.
Maintain a commonsense user, data, and process management space. If you know what roles you have on the team, what data or applications are required, and which key business processes are being supported, you’ve answered the hardest part.
Maintain a touchpoint with your cybersecurity leaders (managers, directors, etc) and keep them updated on what your team or business process is doing and what changes may be coming up in the next 6-12 months.
Review how you and your team interfaces with cybersecurity in case there ever is a need to engage.
More specifically to a technology team, while you operate your own technology standards and practices, provide cybersecurity with access to data outputs, design and deploy technology, running guidelines, and ticketing and reporting systems. There will be scenarios where technologies overlap, intersect, and work in conjunction with each other.
Stay tuned for the next installment of the Security Frameworks Blog Series where we do a deep-dive into the new domain: govern.