CSF 2.0 blueprint offered up for public review
ANALYSIS The US National Institute of Standards and Technology (NIST) is planning significant changes to its Cybersecurity Framework (CSF) – the first in five years, and the biggest reform yet.
First published in 2014 and updated to version 1.1 in 2018, the CSF provides a set of guidelines and best practices for managing cybersecurity risks. The framework is designed to be flexible and adaptable rather than prescriptive, and is widely used by organizations and government agencies, both within and outside the US, to create cybersecurity programs and measure their maturity.
Following a long consultation, NIST has published a concept paper (pdf) for CSF 2.0 and opened it up to further review. The resulting feedback will be used to develop a final draft of the revised framework, due out sometime this summer.
“We think that there's been enough changes in the cybersecurity landscape to warrant a significant update this time around," says Cherilyn Pascoe, senior technology policy advisor at NIST and Cybersecurity Framework Program lead.
“There have been changes in cybersecurity standards, including those published by NIST but also elsewhere; there's been significant changes in the risk landscape and in technologies. And so even though the vast majority of our respondents said they still like the framework, there were a number of changes that folks are looking for, and so we thought it was time for us to do a refresh."
Cherilyn Pascoe, senior technology policy advisor at NIST and Cybersecurity Framework Program lead
One notable change is who the framework is aimed towards. Since the publication of CSF 1.1, the US Congress has explicitly directed NIST to consider the needs of small businesses and higher education institutions, beyond its original target demographic of critical national infrastructure organizations (in utilities, telecoms, transport, banking etc).
"The scope was originally for critical infrastructure, as defined under [a US President] Executive Order, but over time lots of organizations have started to use it," says Pascoe.
"We don't want organizations to have to make that determination about whether or not they're critical infrastructure, which is sometimes a legal issue that comes with additional burdens, and so were proposing to broaden it to all organizations."
There are also plans to increase international collaboration, and encourage more countries to adopt the framework, either in full or in part.
Sign up to Daily Swig Deserialized, our new fortnightly rundown of web security, bug bounty, and hacking culture news
Meanwhile, a new ‘Govern’ function will join the existing five precepts – Identify, Protect, Detect, Respond, and Recover – with the aim of positioning cybersecurity risk alongside other enterprise risks such as threats to financial stability.
The new function would include determination of the priorities and risk tolerances of the organization, its customers, and larger society; assessment of cybersecurity risks and impacts; the establishment of cybersecurity policies and procedures; and an evaluation of cybersecurity roles and responsibilities.
“There has been a lot of work to better understand how cybersecurity risk can be incorporated as part of other enterprise risks, so alongside financial risk; the importance of senior leadership being aware of cybersecurity risks and the policies and procedures that would need to be in place to address cybersecurity," says Pascoe.
“I think there's become much more awareness that cybersecurity is not just a technical issue and that it's something that needs to be addressed by the upper levels of the organization,” she added.
This addition is largely a response to the growing use of the framework to structure discussions about cybersecurity risk between technologists and senior managers.
One issue highlighted during the request for information was the need to improve the alignment of the framework with other NIST and non-NIST security programmes, such as the Risk Management Framework and Workforce Framework for Cybersecurity.
Respondents also called for more practical guidance on applying the framework, leading to a new section focused on implementation examples. While the framework remains focused on high level outcomes rather than specific processes, according to Pascoe, “these examples will help give a starting point for organizations to think about different ways that they can implement the higher level subcategory outcomes”.
For the first time, the new framework will have a significant focus on supply chain risk management, helping and encouraging organizations to address third-party risks of all kinds, from cloud computing to computers, software and networking equipment, along with the non-technology supply chain.
However, says Pascoe, there are mixed opinions about how to do this: in particular, whether cybersecurity supply chain management should be integrated into the framework's existing structures or split off as a separate function.
“Everyone thinks yes, this is a really important issue, but feedback was mixed, so we've said let's think some more about this and how to address it,” she says.
“It sometimes goes by sector, and is sometimes based off their existing regulatory requirements; so, for example, the financial sector is very regulated for cybersecurity and they have existing third party requirements that they're hoping to see within the framework, so they're probably the most vocal about wanting a significant expansion for third party [responsibilities].”
Measure for measure
CSF 2.0 is also set to include more guidance on measurement and assessment, with a common taxonomy and lexicon to communicate the outcome of an organization's measurement and assessment efforts, regardless of the underlying risk management process.
"NIST is a measurement science agency and so we're always striving to develop tools to measure things – but cybersecurity measurement is probably one of the hardest things that we've ever tackled,” says Pascoe.
“Organizations are asking the question: 'Now that I've used the framework for a decade, how do I know that my cybersecurity posture is improving and the actions that I'm taking are beneficial to reduce the risk?''"
The plan is to provide additional guidance about how to do access levels of security maturity – some in CSF 2.0 itself, and some in separate guidance.
Privacy, zero trust conundrums
NIST decided not to merge its privacy framework with the CSF after consulting stakeholders, although Pascoe says that could be a move for a future CSF 3.0 given increasing "overlap between the two”.
Pascoe foresees disagreement, or at least significant further discussion, on topics such as the applicability within the framework of zero trust – a network security concept that urges organizations not to trust any device by default, regardless of whether it sits outside or inside an organization’s perimeter.
NIST’s view is that zero trust need not be incorporated into the framework, even though applying the architecture is a priority for the Biden administration.
Another area still very much up for discussion is NIST's proposal to keep the framework technology- and vendor-neutral, with some calling for it to address specific topics, technologies, and applications.
"The framework has always been tech-neutral, but organizations are looking for more guidance when they are, say, leveraging cloud or leveraging the internet of things or operational technologies,” says Pascoe.
“And so that one's going to be a really particular struggle to make sure that we are remaining tech-neutral, while also not excluding any particular systems - but I think there are a number of organizations that were looking for us to go further than that, and have specific guidance for each of these technologies.”
Comments on the proposals can be submitted to NIST at email@example.com until March 3, with a draft planned for summer, followed by a public review.
“So we're going to try and find consensus where we can, but some of these changes on governance and supply chain are really large. Hopefully we'll be able to find a solution,” Pascoe concluded.