In place for almost a decade, the US National Institute of Standards and Technology (NIST)’s Cybersecurity Framework (CSF) has provided an important basis for securing critical infrastructure organizations.
The framework consists of standards, guidelines and best practices to manage cybersecurity risk across systems, data and assets. While it remains voluntary for private sector organizations, an Executive Order signed in May 2017 requires US government agencies to use the NIST CSF, or any successor document, when conducting risk assessments for agency systems.
The standards have proved highly impactful to date. “The CSF was an important document to help organizations, particularly those that are part of the critical infrastructure, organize and coordinate their security programs. The document was so useful that many organizations outside of CI adopted it as their core reference framework,” Diana Kelley, CISO at Protect AI, told Infosecurity.
The publication of a new draft version of the framework, CSF 2.0, in August 2023 has generated much discussion within the cybersecurity community. NIST is now inviting public comment on the draft until November 4, 2023, ahead of the official role out.
What Are the Main Changes to the NIST Framework?
The introduction of a ‘Govern’ pillar is a significant new part of the framework. ‘Govern’ has been added to cover organizational context – in particular, roles, responsibilities and authorities across areas like risk management and the supply chain.
Kelley commented: “The previous CSF did a great job detailing what needs to be done, but didn’t address who should oversee those tasks and controls, or the policies and procedures governing those controls. The inclusion of the ‘Govern’ pillar as a new function is a very important addition and rounds out the previous core functions (Identify, Protect, Detect, Respond and Recover).”
Larry Whiteside Jr, CISO at RegScale and President of Cyversity, told Infosecurity that this pillar is the most significant change to the framework, with governance increasingly underpinning all aspects of cybersecurity.
“An organization can set all the policies it wants, but without a mandate and focus on governing those policies and the actions performed to enable and perform the functions that support the policies, none of it matters. Elevating governance to a CSF function will also promote alignment of cybersecurity activities with enterprise risks and legal requirements,” he explained.
Additionally, Kelley welcomed the cross-linking to other relevant NIST special publications, including the NIST Privacy Framework, the Secure Software Development Framework (SP 800- 218), and NIST IR 8286.
“NIST has a rich set of resources which will be easier for people to find now that they are referenced in the CSF,” she outlined.
The CSF also offers extra guidance on implementation, via profiles covering specific sectors and use cases. This is something that Tom Brennan, Executive Director, CREST Americas Region, believes is much needed.
“Some businesses have pointed out that [NIST] lacks specific guidance on implementing controls and can be somewhat abstract,” noted Brennan.
Overall, the scope of the NIST framework has been expanded to include all sectors, beyond critical infrastructure.
Whiteside believes this is a natural progression for the guidance, which he said has already become a “normalized component” for many organizations.
“It enabled a number of CISOs I know to build a framework that they could model and measure. The reality is that its expansion outside of critical infrastructure happened well before it this version,” he told Infosecurity.
Implementation Best Practices
For organizations that adopted the first version of the CSF, “implementing 2.0 shouldn’t be a big lift,” according to Kelley.
However, for smaller organizations at an earlier stage of their security program journey, she recommended carefully reading through the CSF 2.0 document alongside the intersecting reference documents.
“Since most organizations have multiple compliance pathways, including regulatory, certification, and sectoral, it’s advisable to map out a plan that cross-references controls, policies, and procedures across the compliance landscape to ensure that security measures are being captured and reported accurately without duplication of effort,” outlined Kelley.
Whiteside advised less mature organizations to “start small and focus on the basics.” In particular, he said they should begin by identifying all their assets, where their data is held and who has access to what.
“As you begin identifying those things, put protections in place and then the governance components to ensure the actions are being done properly,” he explained.
Brennan also cautioned that while the NIST Framework is comprehensive, organizations should be aware of its potential limitations, such as not covering emerging threats or rapidly evolving technologies adequately.
“To address these gaps, businesses using the framework should be cautious and consider supplementing it with more detailed guidelines tailored to their specific industry or technology landscape,” advised Brennan.
He added that organizations should consider utilizing an evidence-based maturity model to measure the CSF to be scored against.
“Commercially, I recommend the Center for Internet Security V8 controls that is mapped to NIST CSF. It goes deeper and has more practical use,” commented Brennan.