NIST Shores Up CSF 2.0 With Supply Chain, Governance Reforms

The U.S. Dept. of Commerce National Institute of Standards and Technology (NIST) will open a comment period for stakeholders on proposed significant reform to its Cybersecurity Framework (CSF).

In advance of the public comment period, the standards organization wrapped up the last stakeholder workshops last week. It is the first time in five years that NIST has sought sweeping changes to the voluntary framework, which is designed to help provide “guidance to organizations to better understand, manage, reduce and communicate cybersecurity risks. It is a foundational and essential resource used by all sectors around the world.”

NIST claimed that “despite evolving cybersecurity risks, many respondents to the NIST Cybersecurity RFI reported that the CSF remains effective in addressing cybersecurity risks by facilitating governance and risk management programs,” as well as enhancing communication both within and across organizations.

“Practical guidance has long been missing. NIST publications tend to be dense reads filled with jargon that make them less approachable to less-resourced organizations,” said Christopher Hallenbeck, CISO, Americas, Tanium. “I’m glad to see an emphasis on addressing the underrepresented community of small businesses in this process.”

Explaining that the framework is “intended to be a living document that is refined and improved over time,” NIST offered six broad changes.

Among them, the CSF 2.0 would “explicitly recognize CSF’s broad use to clarify its potential applications” and will remain a framework that provides “context and connections to existing standards and resources.”

But perhaps some of the most significant changes are boosting the CSF to “emphasize the importance of cybersecurity governance”—which often gets short shrift at many organizations—and underscore the criticality of supply chain risk management. CSF 2.0 will also seek to make the link between those two initiatives—cybersecurity governance and supply chain risk.

“CSF 2.0 will include a new ‘Govern’ Function to emphasize cybersecurity risk management governance outcomes,” the NIST CSF 2.0 concept paper noted.

“While the five CSF Functions have gained widespread adoption in national and international policies, including ISO standards, NIST believes that there are many benefits to expanding the consideration of governance in CSF 2.0.,” the concept paper said. “This new crosscutting Function will highlight that cybersecurity governance is critical to managing and reducing cybersecurity risk.”

The new iteration of CSF “will describe how an underlying risk management process is essential for identifying, analyzing, prioritizing, responding to, and monitoring risks, how CSF outcomes support risk response decisions (accept, mitigate, transfer, avoid), and various examples of risk management processes (e.g., Risk Management Framework, ISO 31000) that can be used to underpin CSF implementations,” NIST said.

There is wide agreement among respondents “that cybersecurity risks in supply chains and third parties are a top risk across organizations,” but stakeholders don’t believe NIST should develop a separate framework to address them. “Managing cybersecurity within the supply chain was one of the key additions in the last update to the CSF,” but “since then, even more attention has been paid to developing guidance to increase trust and assurance in technology products and services, including guidance developed pursuant to the Executive Order on Improving the Nation’s Cybersecurity (EO 14028). CSF 1.1 added the CSF “Supply Chain Risk Management” (ID.SC) Category; expanded Section 3.3, Communicating Cybersecurity Requirements with Stakeholders to better understand C-SCRM; added a new Section 3.4, Buying Decisions, to highlight the use of the Framework in understanding risks associated with off-the-shelf products and services and incorporated CSCRM criteria into CSF Tiers. In addition, third-party management is included as a consideration as part of broader CSF outcomes” across framework functions, NIST said.

“Small business and education have been out in the cold for years as cybersecurity poor but target rich. Ransomware has moved the threat from expert jargon to preying on your local community,” said Bryson Bort, founder and CEO of SCYTHE. “We’re seeing the government work collaboratively beyond pushing paper (NIST CSF) to rolling up their sleeves to help them directly with CISA’s announcement on these same priorities last month.”

Globalization, outsourcing and expansion of the use of technology services like the cloud highlighted the “importance of organizations identifying, assessing and managing both first- and third-party risks,” NIST said.

“However, third-party risks may involve distinct assessment and oversight that is often handled by separate teams/organizations,” the organization said. “Thus, NIST believes CSF 2.0 should include additional C-SCRM-specific outcomes to provide additional guidance to help organizations address these distinct risks.”

Understanding whether cybersecurity programs pass muster relies on being able to measure and assess them. That’s why CSF 2.0 will clarify how the framework can support that measurement and assessment.

The human element should not be ignored either. “It’s great to hear that there will be a significant reform to the framework. It is important to recognize that security team wellness determines how successful the use of the framework is,” said Chloe Messdaghi, managing director at Impactive Partners. “We cannot continue to ignore the human element part that cybersecurity plays when we are protecting from attacks.”

She noted that “when a team has poor leadership and management, it faces risk of creating a revolving door environment, mental health issues, lack of inclusion and a continuing overstretched security team which, in return, leads to an increased cybersecurity risk for an organization.”

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson