Decoded: new changes to NIST’s Cybersecurity Framework

· 3 MIN READ · BRUCE POTTER · DEC 13, 2017 · TAGS: Framework / NIST / Overview / Planning

The v1.1 framework has launched (April 16, 2018) and that means we’ve got a more up to date rundown for you. Check out, What’s new in the NIST Cybersecurity Framework (CSF) v1.1.

“Where do I start?”

It’s a common question for organizations that are trying to get their arms around the sprawling issues of cybersecurity and risk management. For most, this question eventually leads them to the NIST Cybersecurity Framework. Since it was published in 2014, it has been a frequent starting point. It’s not perfect, but it has provided a common language and structure for discussing and improving security. And that’s a good thing.

People don’t always realize it, but NIST never intended the Cybersecurity Framework to be something you “do.” It’s supposed to be something you “use.” Now that thousands of organizations have been using the framework for three years, NIST has released the second draft of the 1.1 version of the framework and they’re turning to the community to get feedback so they can improve it.

In case doing a “stare-and-compare” of the original and updated frameworks isn’t your idea of fun, I’ve highlighted three important changes below.

1. Assess yourself first…then measure

It has always been difficult for some organizations to use the framework because NIST didn’t provide clear guidance on exactly what to use it for. It was brand new back in 2014 so that makes sense. The updated version fills in some of those gaps. Specifically, Section 4, which used to be called “Measuring and Demonstrating Cybersecurity” has been re-christened “Self-Assessing Cybersecurity Risk with the Framework.” While both names are equally dry (hey…what do you expect from a standards body), they cut to the core of how to operationalize the framework.

Self assessments are key to formulating a plan for improving your organization’s cybersecurity and they’ve been one of the framework’s big successes. By focusing Section 4 on self-assessment, NIST is making sure organizations that are new to the framework focus on one of the framework’s primary use cases.

2. Supply chain risk management (SCRM) — now with real guidance

It’s no secret that supply chain partners are often the soft underbelly for attackers looking for a way in. But answers for how to protect the supply chain are harder to come by. Past versions of the NIST framework highlighted SCRM as an important component of a cybersecurity program. But they didn’t really say anything else.

The new version of the framework adds a lot more detail and integrates SCRM with the rest of the framework. It feels a lot more complete. So, if you’re one of those people who’ve been beating the SCRM drum for three…or…five…or…ten years, you’ll find new ammunition to beat the drum even louder.

3. External participation — when and how you should get outsiders involved

The final notable change I want to call out relates to when and how you should get outside parties involved in your program.

As a quick refresher, NIST defines four tiers of maturity. It starts with Tier 1, which NIST charitably calls “Partial”. This includes organizations that only deal with cyber risk when they’re forced to. Fast forward to Tier 4 (aka “Adaptive”) organizations and you’re looking at risk management machines. NIST ranks each tier according to risk management processes, integrated risk management programs and…you guessed it…external participation.

But previous versions of the framework didn’t give the reader much to go on when it came to external participation. There was a sentence or two describing what was appropriate for that tier. But not enough to build into your program. The new definitions are much more complete. They include discussion on external communication, the broader community and guidance on how to interact with supply chain stakeholders.

Overall, this second draft of the NIST framework feels a lot more complete to me than version one. That’s not surprising given we’ve had three years to digest and use it. In addition to the practical experience, our understanding of cyber risk has continued to evolve.

If you’ve thought about using the NIST framework before but felt it was too daunting, now might be a time to take another look. If, on the other hand, you’re already using NIST I’d suggest taking a look at the three sections I’ve highlighted above to see if they can help focus your implementation by turning some of the more theoretical aspects of the NIST framework into tangible things you can go execute on.

Either way, NIST is still taking feedback on the draft until January 19th. So if you have time, take a look at it and provide feedback. They’ve built the framework based on community contributions from people like you, so take a few minutes and help make the CSF your own.