A look at upcoming changes to the standards, guidelines, and practices that organizations of every size need to manage and reduce cybersecurity risk.
By Glenn Sweeney
vCISO at CyberOne Security
The NIST Cybersecurity Framework was originally created in 2014 to give federal users a common standard by which to measure their cybersecurity assessment efforts. Since then, NIST has evolved to include corporate users who have had ongoing input into its content. NIST Cybersecurity Framework is a living document that is regularly refined and improved based on stakeholder feedback to keep pace with changing technology and threat trends.
As a vCISO at CyberOne Security, I actively participate in discussions to help improve the NIST Framework. The scope of CSF 2.0 will cover all organizations across government, industry, and academia to boost its broader use. As stated in the current NIST 2.0 concept paper, a primary goal of cybersecurity measurement and assessment is to determine how well an organization is managing cybersecurity risk, and if and how they are continuously improving. Following are four areas that are being updated to make NIST 2.0 more robust for federal and industry users:
- A New “Govern” Function Will Be Added to Core
The NIST Framework Core formerly consisted of five continuous functions — Identify, Protect, Detect, Respond, and Recover. The upcoming version will also include “Govern,” which will address the importance of aligning cybersecurity activities with business risks and legal requirements.
In the past, cybersecurity governance was addressed in the “Identify” function. Addressing it as a function reflects its high importance and allows NIST to go deeper into the topic. The new “Govern Function” will cover four areas that are critical to broad defense and recovery, including:
- Determining the priorities and risk tolerances of the organization, customers, and larger society
- Assessing cybersecurity risks and impacts
- Establishing cybersecurity policies and procedures
- Understanding of cybersecurity roles and responsibilities
I like to think of Govern as the foundation of a house. It ensures that the entire infrastructure aligns with organizational policies and legal requirements, so it is more stable and secure from the ground up.
- Supply Chain Risk Will Be Added to the Identify Function
Technologies and computing services like cloud enable organizations to do business with people and groups all over the world, but they also open enterprises up to third-party vulnerabilities. Feedback from NIST 2.0 respondents make it clear that supply chains are a top risk. Adding Supply Chain Risk to the Identify Function provides an opportunity to go deeper and provide broader guidance on addressing third-party risk. This may include the need for special teams within the organization that are focused on these specific risks. Feedback will inform the final draft of NIST CSF 2.0. You can submit your feedback on this discussion draft at cyberframework@nist.gov at any time.
- Respond & Recover Will Be Added to Incident Response Management
Artificial intelligence (AI) is one of the newest and most versatile weapons in the arsenal of bad actors, and it serves as a strong reminder that even the best defenses can be breached. Organizations need a well thought out recovery plan to limit damage while maintaining business as usual. For this reason, NIST 2.0 is expanding consideration of outcomes in the CSF Respond and Recover Functions to include Response and Recovery management. This section may include subtopics such as indirect mitigation, recovery plan execution, and incident forensics. Content is being changed or added to keep up with new and emerging threats and ensure that organizations can accurately assess how prepared they are to recover critical assets and sensitive information and keep their businesses running in the event of a breach.
- Updated Digital Identity Guidelines
Finally, NIST 2.0 will also include revised Digital Identity Guidelines with updates to the CSF’s identity management, authentication, and access control category. Through these updates, NIST 2.0 will provide a roadmap for assessing the strength of your approach to managing identities and access that is more tailored to today’s threat landscape.
In my role at CyberOne Security, I leverage NIST to ensure my assessments are as relevant and thorough as possible. As a participant in the process of updating NIST 2.0, I think these new updates will cover a lot of ground in the ongoing effort to keep up with changes to the threat landscape.
If your organization needs help assessing its current security posture, contact CyberOne for customized exposure management support that prioritizes the unique risks to your business. We can help you develop a strategic and tactical roadmap based on previous assessments of your cybersecurity program.
About Glenn Sweeney
Linkedin: https://www.linkedin.com/in/glennbsweeney/
Glenn Sweeney is a successful information security leader with over 20 years of cybersecurity technical and managerial experience supporting many types of industries from small to large enterprises. He has a passion to help businesses create a cybersecurity strategy and program using the latest frameworks such as NIST, ISO, IEC, and CIS, giving them the direction they require to succeed in implementing, managing, and administering a proven security program. Glenn has quite a list of information security certifications that include Certified Information System Security Professional (CISSP), SANS GIAC-GSEC, SANS GIAC Certified Incident Handler, Certified HIPAA Security Expert (CHSE), Certified Cybersecurity Awareness Professional (CCAP), EC-Council Computer Hacking Forensic Investigator (CHFI), and CompTIA Security+.
