Critical Infrastructure Security
,
Governance & Risk Management
New CSF Adds ‘Governance’ to Core Functions
Cybersecurity guidance for the private sector published by the U.S. National Institute of Standards and Technology has received its first major update since its first unveiling in 2014.
The revised Cybersecurity Framework focuses on governance and urges organizations – “from the smallest schools and nonprofits to the largest agencies and corporations” – to consider cybersecurity threats a major source of enterprise risk.
See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors
The revised framework takes a more iterative approach to future updates, experts told Information Security Media Group, including new standards that will allow for smaller, continuous updates rather than major overhauls every 10 years.
Ari Schwartz, coordinator for the Center for Cybersecurity Policy and Law and a former member of the White House National Security Council, said the new approach “will allow the framework to be more dynamic than it has been in the past.”
“There will likely always be small things to learn when revising CSF assessments going forward,” Schwartz told ISMG. “Security is an ongoing journey, and the CSF 2.0 reflects that.”
The updated framework adds one new core element of a cybersecurity program – governance – to the five originally established in 2014: identify, protect, detect, respond and recover.
The Cybersecurity Framework is a voluntary model for cybersecurity developed during the Obama administration as an alternative to a failed attempt to legislate minimum cybersecurity standards for critical infrastructure. NIST officials underline – as they did during the framework’s occasionally contentious development – that it imposes no duty of care onto the private sector. The framework has nonetheless become a benchmark of sorts against which private sector cybersecurity is often measured in contexts ranging from class action lawsuits to Federal Trade Commission guidance.
The governance core function makes explicit a previously implicit element of the framework – that organizations following it should establish a cybersecurity strategy, assign authority to executives to implement it and ensure oversight.
The framework also says that executive-level discussions around cybersecurity strategy help “support dialogue and agreement about risk management strategies” as well as roles, responsibilities, policies and oversight.
It envisions overall cybersecurity objectives cascading from the C-suite to the managerial level, where managers “will focus on how to achieve risk targets through common services, controls, and collaboration.” Expectations and objectives are then updated in organizational profiles as the cycle repeats, according to the guidance.
The framework encourages organizations to develop organizational profiles that can be used to prioritize certain cybersecurity actions in order to achieve specific outcomes and communicate those benefits to stakeholders. Organizational profiles can also “help inform continuous improvement” of cybersecurity practices, according to NIST.
NIST Director Laurie Locascio said in a statement Monday that the new framework “can be customized and used individually or in combination over time as an organization’s cybersecurity needs changes and its capabilities evolve.”
NIST said the framework anticipates that organizations with a variety of cybersecurity postures will come to the updated guidance seeking a variety of needs. The CSF 2.0 was published alongside a series of quick-start guides designed for specific types of users as well as implementation examples, success stories and a searchable catalog of references pinpointing specific actions to the framework.
The framework also includes a reference tool that allows users to search, browse and export data in human-consumable and machine-readable formats.