NIST Publishes Cybersecurity Framework 2.0 Draft

341
Credits: CyberSecurityShip

NIST releases Cybersecurity Framework 2.0 draft, highlights a CSO news source.

Corporate governance

NIST seeks comments ahead of the 2024 release of CSF 2.0, which aims to appeal to a broader range of organizations while elevating the importance of corporate governance and more fully addressing supply chain security.

On February 12, 2014, the US National Institute of Standards and Technology (NIST) issued a landmark document, the Framework for Improving Critical Infrastructure Cybersecurity (CSF). Four years later, NIST issued the CSF 1.1, which included updates on supply chain risk management, vulnerability disclosure, and other rapidly developing issues.

Now, NIST is preparing to release another overhaul of the CSF following the early August release of a draft 2.0 version, developed after NIST issued a request for information (RFI), held two workshops, and requested comments on a core draft.

What is the Framework for Improving Critical Infrastructure Security?

Following an executive order (EO) by President Obama, NIST developed the CSF to provide a common language and structure to help organizations systematically better manage and communicate how they tackle cybersecurity risk management. The CSF has been adopted worldwide by private and public sector organizations. Many US government civilian and military procurement and guidance documents have incorporated the CSF to manage risk, including federal government agency contractor and subcontractor requirements for protecting unclassified information and the implementation guidance for President Biden’s National Cybersecurity Strategy.

NIST has designed the 2.0 draft to expand the use of the CSF, more fully embrace supply chain risk management, update other frameworks and resources, supply implementation guidance, address cybersecurity measurement and assessment, while adding an entirely new function. The following sections highlights some of these proposed changes to the CSF.

Broader use of the framework

President Obama’s initial EO focused on critical infrastructure, given the emerging significant cybersecurity threats to the nation’s energy and transportation systems and other critical assets without which essential activities could not function. To convey a broader focus more strongly in the US and internationally, NIST is changing the CSF name to its commonly used term, “Cybersecurity Framework,” removing the emphasis on critical infrastructure. The original framework” has proved useful everywhere from schools and small businesses to local and foreign governments,” NIST said in announcing the 2.0 version. “We want to make sure that it is a tool that’s useful to all sectors, not just those designated as critical.”

The new Govern function crosscuts everything

The current NIST CSF “core” consists of five functions: Identify, Protect, Detect, Respond, and Recover. Around those are clustered 23 categories and 108 subcategories of desired cybersecurity outcomes, and hundreds of informative references, mostly other frameworks, and industry standards.

In its 2.0 draft, NIST has added a sixth function, Govern, which covers how organizations make and execute decisions around cybersecurity. This new function crosscuts all the five other functions, emphasizing the people, processes, and technology needed to adequately govern cybersecurity functions within organizations.

In announcing the framework, NIST explains the Govern function “covers how an organization can make and execute its own internal decisions to support its cybersecurity strategy. It emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial, and other risks as considerations for senior leadership.” The draft also offers guidance integrating the Framework with the NIST Privacy Framework and enterprise risk management, as discussed in NIST IR 8286.

Emphasis on supply chain risk management

Under the Govern function, the CSF 2.0 offers a new category highlighting the importance of supply chain risk management, noting that a desired outcome is for organizations to identify, establish, manage, and monitor cyber supply chain risk management processes. NIST breaks these actions into ten subcategories of supply chain risk management efforts.

The categories and subcategories within the other functions also “provide a source for the organization to consider as a basis for supplier cybersecurity requirements, both for direct suppliers and as flow-down requirements for lower-tier suppliers,” the CSF 2.0 states.

The draft further encourages organizations to use the Framework Profiles that are part of the CSF “to delineate cybersecurity standards and practices to incorporate into contracts with suppliers and provide a common language to communicate those requirements to suppliers.” NIST notes that suppliers can also use profiles to express their cybersecurity posture and related standards and practices involving supply chain risks.

Finally, the 2.0 draft points to the Target Profiles, also part of the CSF, to address supply chain risk management, saying they “can be used to inform decisions about buying products and services based on requirements to address gaps.”

Although the current 2.0 draft doesn’t contain these examples, NIST has issued for public comment under separate cover examples of the types of guidance the final version might include. It encourages interested parties to provide input by Friday, November 4, 2023, on whether these examples are appropriately specific, what other types of models might be useful, how often NIST should update them, and what other sources of implementation guidance might be sources for the examples.

Taking a stab at measuring cybersecurity performance

One frequent complaint about the current CSF is that it lacks clear guidance on measuring cybersecurity performance following the framework’s adoption, making it harder to gauge the success or failure of implementing the many practices and techniques needed to achieve the desired outcomes.

Although not extending this kind of guidance, the 2.0 draft does discuss metrics and encourages organizations “to innovate and customize how they incorporate measurement into their application of the framework.” It also suggests that organizations play around with how they might measure performance. “The framework offers an opportunity to explore or adjust methodologies for measurement and assessment,” the draft states.

In addition, the 2.0 draft introduces a new category under the Identify function that contemplates how organizations will identify improvements to organizational cybersecurity risk management processes, procedures, and activities as a means of measuring performance.

Updated cybersecurity references and resources

The 2.0 draft updates the resources and informative references used in the previous CSF versions, including:

  • The NIST Privacy Framework
  • The NICE Workforce Framework for Cybersecurity (SP 800-181)
  • The Secure Software Development Framework (SP 800-218)
  • Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (SP 800-161r1)
  • The Performance Measurement Guide for Information Security (SP 800-55)
  • Integrating Cybersecurity and Enterprise Risk Management (NIST IR 8286) series
  • The Artificial Intelligence Risk Management Framework (AI 100-1)

NIST plans to post an online tool with human- and machine-readable formats to allow organizations to see the relationships online between the CSF core and updatable resources.

Timeline for CSF 2.0 completion

On September 19 and 20, NIST plans to host its third and final workshop ahead of a planned early 2024 release of the final CSF 2.0. NIST stresses that it does not intend to release another draft of CSF 2.0 for comment. Feedback on the 2.0 draft and related implementation examples are due November 4.

Did you subscribe to our daily newsletter?

It’s Free! Click here to Subscribe!

Source: CSOOnline