On August 17, 2022, NIST hosted the first workshop to organize the effort to update the NIST Cybersecurity Framework (CSF) to version 2.0. Praetorian originally submitted comments to RFI CSF 2.0 in February 2022. This workshop provided a forum for NIST to frame discussion around key topics that emerged from the RFI. This article will provide Praetorian’s perspective on each key topic: governance, measurement, supply chain, profiles and international.
For a full review of the update process and to access the workshop recording (release date TBD), see NIST’s NIST Cybersecurity Framework Update – Journey To CSF 2.0 page. The associated Slack organization also contains a wealth of information and discussion on the topics that may be useful to the curious reader.
Consideration of governance, measurement and evaluation
Currently, since CCS is not a regulatory framework, many of the objectives of CCS can be considered aspirational or optional. In fact, we want to emphasize that the CSF is not a maturity model, nor a standardized control framework. The CSF is rather descriptive and the control frameworks are prescriptive. In other words, the CSF provides a list of objectives for which organizations must determine their own controls.
NIST 800-53 and other related documents provide limited control guidance that some companies choose to implement, but the key word here is “choose”. In most cases, companies choose to define their own measurement criteria, which makes adherence to the NIST CSF quite subjective in practice. In contrast, other frameworks now provide clearer methods for measuring control implementations or maturity levels, such as CIS implementation levels or the CMMI maturity model. This distinction is important because measurement plays a crucial role in governance, enabling organizations to make data-driven decisions.
Ultimately, the CSF would better serve the industry by better aligning itself to partner with risk management frameworks. It overlaps with existing, dedicated risk management frameworks such as FAIR, but not to an extent that materially assists in the regulation of cybersecurity programs. It also needs to be more directly linked to the actual risk management actions that organizations are undertaking and, potentially, have more teeth to enforce implementation.
In the near term, NIST plans to update NIST 800-55 “Performance Measurement Guide for Information Security” to align with NIST 2.0, providing more useful monitoring guidance for organizations that choose to use it. However, the conference consensus was that the framework should retain its flexibility regardless of the measurement attributes that come with version 2.0. If the measurement discussion results in strict “requirements,” fewer industries and organizations will be able to customize the CSF to their needs, leading to less adoption.
Implications for governance and measurement standardization
Two secondary discussions focused on the implications of standardizing controls and enforcing requirements. The first highlighted the definition of overall control effectiveness, recognizing that measuring the effectiveness of the CSF versus the effectiveness of individual controls are two different perspectives. However, the two levels of measurement are directly related to each other. How the subcategories are interrelated impacts overall control effectiveness, such as when a good asset management program (ID.AM-1/2) facilitates an effective vulnerability management program (PR. IP-12). Similarly, an effective IR plan is impossible to implement if practitioners misunderstand their organization’s mission statement.
The second related topic centered on how cyber insurance providers could use the NIST CSF rating and goal metric to determine premiums in inverse proportion. This would help immensely in justifying the expense needed to develop and maintain a cybersecurity program, and could help align businesses with the NIST CSF. It also reinforces the need for a specific maturity model or control measurement program to facilitate this secondary application of the CSF.
Lessons learned from developing and using the profiles
Profiles in the context of the NIST CSF are intended to be representative implementations of the CSF on a per industry basis. The profiles are meant to define *potentially* which CSF subcategories should be applied, which target states should be defined, and any specific considerations for the industry in question. Much of the conference discussion focused on the need for more profiles and a better way to organize them.
Industry-specific profiles are available from disparate sources, including, but not limited to, NIST. However, we noted a constant pain point in which finding verified profiles remains difficult. Many (if not most) CSF practitioners were unsure where to access profile resources.
Therefore, for us, the most important recommendation from this panel was that NIST develop a process for creating, submitting, verifying, approving, and publishing/hosting profiles in a standardized way. This would alleviate the current problem of finding reliable profiles and also allow practitioners to contribute back to the community in a very useful way.
International use and alignment
This panel provided some interesting insights into how governments and national entities use the CSF, and in particular how the CSF controls mapping remains US-centric. The consensus of the panel was that the CSF could benefit from an expanded set of frameworks for international partners to better align with international standards. This could also extend to various international privacy regulations. However, the biggest challenge will be how the CSF can better accommodate all of this while retaining its flexibility.
On a more academic note, we found the panel’s corollary discussion of how other languages translate CSF particularly interesting. Although Praetorian uses the NIST CSF for evaluation with international partners, we are not heavily involved in the international application of the CSF. The variety of interpretations of various words is not something we encounter in our day-to-day application of the CSF, but it can have a significant impact on how international organizations implement goals and controls.
Supply Chain Cybersecurity Considerations
Practitioners involved in this discussion agreed almost unanimously that supply chain considerations should remain in version 2.0 of the CSF.
However, the various definitions of “supply chain” that have emerged have reinforced the need to maintain flexibility in the new version. The CSF currently consolidates Vendor Supply Chain, Software Supply Chain, Hardware Supply Chain, Supply Chain Vendor and others. With the explosive growth of hardware devices in consumer hands (IOT), software-driven processes (SaaS, open source libraries, etc.), and the number of organizations providing software to consumers (apps, websites, etc.) ), the need to differentiate seems prudent. Since the approach to securing each may be very different, the generic “supply chain” may limit rather than enhance the flexibility of the framework.
While most practitioners look at supply chain risk from the consumer’s perspective, Praetorian and others believe that the producer’s perspective should also be considered. It should be the responsibility of these organizations to secure their supply chain using principles such as provenance.
Next steps for the development of NIST CSF 2.0
This workshop was only a first step in the process of developing version 2.0 of the NIST CSF. If history is any indicator, this process will likely take almost a full year, so we don’t expect to see the new version released (even just for comment) until mid-2023. That being said, NIST’s commitment to the evolution of the framework and willingness to consider such a wide range of public input definitely bolsters our confidence in the final result. Keep an eye on the NIST CSF 2.0 page linked at the top of this article for more information if you want to be part of this process.
The post NIST CSF 2.0 Workshop Themes: Praetorian’s View appeared first on Praetorian.
*** This is a blog syndicated by Security Bloggers Network from Blog – Praetorian written by emmaline. Read the original post at: https://www.praetorian.com/blog/nist-csf-2-0/