The latest draft of the cybersecurity framework proposed by the National Institute of Standards and Technology is receiving kudos from information security professionals.
Released in August, NIST Cybersecurity Framework (CSF) 2.0 makes significant improvements over its predecessor, CSF 1.1, adding more focus on software supply chain security and new functions, enhanced guidance, and a greater emphasis on risk management. It is also easier to read than the earlier version.
Having been five years since the introduction of CSF 1.1, the framework was overdue for an update that reflects the modern threat landscape, said Ben Chappell, CEO of Apona Security.
"The expansion into supply chain risks and source code review is critical, as witnessed by Log4J attack and others. Organizations are, and should be, responsible for the code that is both borrowed and developed."
Here are key changes in CSF 2.0 — and what they mean for your SecOps team.
[ Learn more: Tools gap leaves orgs exposed to supply chain attacks | Download report: Software Supply Chain Security Risk Report ]
Key additions make CSF 2.0 a 'huge improvement'
ReversingLabs Field CISO Matt Rose said CSF 2.0 was a "huge improvement" over CSF 1.1 — and an essential tool given the rise of software supply chain attacks.
"It's an improvement because the threats, vulnerabilities, and methods of attack have evolved rapidly over the past few years. Trying to stop the new landscape of cybersecurity risk with old techniques will result in an ineffective cybersecurity program."
One area in the framework proposal that's attracting praise is its treatment of governance. NIST has added a govern function to the five other core functions in the framework: identify, protect, detect, respond, and recover.
Bud Broomhead, CEO of the IoT cyber-hygiene company Viakoo, said the addition of the govern function was critical, adding that the function should include ensuring that all systems are visible and operational and that there are enterprise-level security processes and policies in place.
"The addition of a sixth function, for govern, is a clear message to organizations that to be successful, there also must be actively managed policies and processes underpinning the other functional areas."
Brett Tucker, cyber-risk technical manager in the CERT division at Carnegie Mellon University's Software Engineering Institute, said the addition is "a stark improvement over the original model."
"Risk analysis and management must lend itself to sound risk-based decision making. The decomposition of a governance structure into components such as communication paths, authority, and responsibilities should empower organizations to delegate risk-based decision making to appropriate levels of the organization."
Tucker said the proposed framework would lead to decisions related to cybersecurity control selection and other responses being "realized with greater efficacy and economy."
Communications key for aligning security with the business
Making the govern function a pillar in the framework reinforces the idea that cybersecurity should not just be a reactive procedure for organizations, but rather needs to be aligned with daily business decisions, said Eduardo Azanza, CEO of the biometric identification and authentication company Veridas.
"This shift in perspective will empower organizations to make informed choices and contribute to their long-term success."
Larger organizations aren't strangers to the idea of governance. Many of them have governance, risk management, and compliance (GRC) programs in place to align IT with business objectives.
Tim Morris, chief security advisor at the endpoint management and security company Tanium, said the new function is praiseworthy given that governance is a large umbrella and an essential part of any cybersecurity program.
"Frameworks, standards, and guidelines lay the foundations of a common language and methodologies that help cross-functional organizations work together. It is also beneficial for communication between technical and nontechnical teams."
Roger Grimes, a defense evangelist at the security-awareness training company KnowBe4, said that making governance a pillar of the framework indicates how important it is to the whole program.
"That is good, especially since the SEC made governance an official senior leadership requirement for all U.S. public companies. NIST’s inclusion is just going to continue to indicate the seriousness that senior management needs to assign to cybersecurity governance for all organizations around the world."
Continuous improvement encouraged
The proposed framework also encourages organizations to continuously improve their cybersecurity posture and emphasizes risk management, both a departure from CSF 1.1.
For example, CSF 2.0 references processes such as continuous monitoring, vulnerability assessments, penetration testing, and red-team exercises that provide ongoing visibility and drive proactive enhancements.
It also is designed to be customized to an organization's risk appetite and operational requirements. This accommodates a variety of implementation paths based on a company's specific priorities.
ReversingLabs' Rose said flexibility was essential for the CSF being relevant and practical for a range of companies.
"The CSF continuing to be very flexible and agile is very important for organizations to address risk management in their own specific way. There are many different ways to address risk management."
The proposed framework also encourages continuous improvement by allowing organizations to benchmark and mature their capabilities in an incremental way through a tiered system.
"The increased focus on measuring the effectiveness of an organization's cybersecurity program is the best way for organizations to continuously improve their cyber security posture. How can you improve what you already have implemented if you can't compare it to something?"
NIST has done a lot of work to connect CSF 2.0 with other NIST standards in the text of the framework itself, said Paul Hurley, CEO of the cybersecurity consulting and testing company Securicon.
"This will provide organizations with a pathway to cyber-readiness beyond basic CSF protections and promote an in-depth understanding of why they exist. Soon there will even be a reference tool that enables readers to jump between CSF 2.0 and the latest version of related NIST documentation — a huge aid to ongoing improvement efforts."
Building a mature risk management approach
The functional nature of the CSF anchors the activities of an organization to foundational practices of cyber-risk management, said CERT's Tucker.
"Standardized practices may be measured for their degree of maturity, which will help organizations to prioritize investment in new tools and capabilities. Furthermore, the functional aspects of the CSF connect the cyber-professional to the management team in a manner that aligns technical expectations with the practical considerations of resource investment."
The expansion of NIST's CSF marks a pivotal step toward securing U.S. industries, said Veridas' Azanza.
"This forward-looking initiative demonstrates NIST’s recognition of the universal relevance of cybersecurity and takes into consideration the unique challenges faced by various sectors. This inclusive approach will set in motion the path to a safer digital landscape and leaves no one behind."
John Bambenek, a principal threat hunter at the IT and digital security operations company Netenrich, said CSF 2.0 tackled one of the perennial problems in cybersecurity: how to quantitatively talk about security to leadership and the board.
"Expanding these frameworks to all organizations, and not just critical infrastructure, opens the door to being able to do so in a consistent way across the economy and hopefully will lead to more buy-in of using security to reduce business risk."
Comments on the CSF 2.0 draft will be collected by NIST until November 4, and a final version will be released early in 2024.
- Join Webinar: Threat Modeling & Software Supply Chain Security
- Supply Chain Risk Report: Learn why you need to upgrade your app sec
- See Special Report: The Evolution of Application Security
- Track key trends: The State of Supply Chain Security 2022-23
- Get report: Supply chain and the SOC: Why end-to-end security is key