As it begins planning to revise its widely praised Cybersecurity Framework (CSF), the National Institute of Standards and Technology (NIST) has requested that interested parties supply comments on how NIST can improve the effectiveness of the CSF and its alignment with other cybersecurity resources. NISTâs last update of the framework, first released in 2014 under an executive order issued by President Obama, was in 2018.
âThere is no single issue driving this change,â NIST Chief Cybersecurity Advisor Kevin Stine said in a statement. âThis is a planned update to keep the CSF current and ensure that it is aligned with other tools that are commonly used.â
NIST raises a host of questions
In its published request for information, NIST raises a host of ânon-exhaustiveâ questions that it hopes will move the ball forward in making the framework more applicable to a broader range of users while incorporating improvements, including a greater focus on supply-chain-related cybersecurity needs. Specifically, NIST asks a series of questions about how to improve the use of the framework, including whether the framework allows for better risk assessments and management of risks, what relevant metrics might be used to measure the impact of the framework and what challenges organizations face in using the framework, among other questions.
NIST also asks for suggestions on improving alignment or integration of the Cybersecurity Framework with other NIST risk management resources such as the NIST Risk Management Framework, the NIST Privacy Framework, and Integrating Cybersecurity and Enterprise Risk Management (NISTIR 8286). NIST further asks for ways to improve alignment or integration of the NIST framework with other non-NIST frameworks, such as international approaches like the ISO/IEC 27000- series, including ISO/IEC TS 27110.
Regarding supply chains, NIST is requesting information to help identify supply-chain-related cybersecurity needs and harmonize the National Initiative for Improving Cybersecurity in Supply Chains (NIICS), a public-private nonprofit founded by NIST, with the CSF. Moreover, NIST asks whether it needs to create a dedicated framework addressing cybersecurity supply chain risk management or if this should be addressed through more effective treatment of supply chain risk in the CSF.
CSF update is sensible and timely
Reaction from cybersecurity specialists to the update is generally favorable. Lisa Plaggemier, interim executive director of the National Cybersecurity Alliance (NCA), says that the push to create frameworks, best practices, and supporting guidance and tweaking them on a more ongoing basis has gained momentum in the wake of recent increased cyber threats. âThis announcement from NIST and the collaborative approach it seems to be taking is not only unsurprising but is also very sensible as we continue to work to refine and modernize our cybersecurity operations,â Plaggemier tells CSO.
Dr. Joerg Borchert, president and chair of the Trusted Computing Group, says a CSF revamp is now due. âAs the early framework was created in 2014, a revamp is timely,â he tells CSO. âThe overhaul provides a chance to update the CSF to the threat vectors and new challenges.â
Borchert says the CSF is already a leading framework in the international community. âWhen it really comes down to it, there are only a few frameworks for cybersecurity that are commonly accepted as best practices,â he says, noting that the other leading frameworks on par with the CSF in the international community include ISO 27001/27002, NIST SP 800-53, Secure Controls Framework (SCF) and the payment standard PCI DSS.
Secure Code Warrior's CTO and co-founder, Dr. Matias Madou, agrees that NIST is already a front-runner on the international scene regarding cybersecurity frameworks, particularly in the area of secure software development. âI do hope a lot of organizations and countries are looking at this roadmap theyâre laying out and will follow suit. U.S. companies have led the way in securing software and validating the software.â
Brian Behlendorf, general manager of the Open Source Security Foundation, says that NISTâs plan to tackle supply chain issues dovetails with his hope that a consistent way emerges for software developers to choose the building blocks in their software. âWhat we have not done is build a metrics-driven, data-driven approach to helping developers make decisions,â Behlendorf tells CSO. âIf NIST can be helpful in driving industry toward a set of common standards and data formats and terminology around all of this, I think that would be helpful in moving things forward.â
GAO hopes the update will fix agency adoption problems
Dave Hinchman, acting director in the Government Accountability Officeâs (GAO) Information Technology and Cybersecurity team and author of a recent GAO report on how government agencies have adopted the NIST Framework, hopes the NIST update process will address issues that have thwarted agency adoption of the CSF. The GAOâs most recent report issued earlier this month is the final of four statutorily mandated studies. It found that only three of the federal governmentâs 16 critical infrastructure sector risk management agencies (SRMAs) have implemented the CSF after eight years of being urged to do so.
âWhen you see some of the things we found, it's not a great picture,â Hinchman tells CSO. âOnly three agencies have determined how they're going to adopt the framework. Four have finally started some effort, but the [remaining] sectors haven't done anything. We have had a pretty good discussion of a lot of the challenges that agencies are citing in why they're not making better progress.â
Voluntary nature, lack of metrics slow framework adoption
The most significant barrier to agency adoption of the framework is that itâs voluntary, Hinchman says, which NIST does not have the authority to change. Another big problem that Hinchman cites is the lack of metrics, a topic that NIST raises in its request for information. As auditors, the GAO likes âhard things,â he says. âWhat are the specific targets that we're doing? Thatâs maybe something to consider, whether there's a way to build in some metrics. I think that could help drive adoption because it's a way that there's a measurable outcome or a measurable target that you can track against.â Hinchman notes that NIST had already made some progress on the metrics front even before issuing its information request.
Yet another limitation holding back the adoption of the framework is a lack of tangible implementation guidance, Hinchman says. âI think that maybe it is time to sit down, revisit this and look at what it is that we can do to make this more palatable so that we get better adoption,â particularly given the voluntary nature of the CSF.
âI've been performance auditing the government now for almost 20 years, and when you've got big disconnects like what we're seeing here, with what everyone says is this great framework that's in place, but terrible adoption eight years on, there's something that's not clicking,â Hinchman says.
He praises NISTâs decision to update the framework, hoping that NIST takes what the GAO has discovered to heart. âThe NIST and DHS programs got mixed reviews at best from agencies. You have to acknowledge agenciesâ complaints about those programs and admit that more needs to be done. This request for information is a great first step.â But, âat the end of the day, agencies are really just struggling to get adoption in place.â
NIST did not respond to multiple requests for comment on the GAO report and Hinchmanâs remarks.
Gloss