Cybersecurity professionals, and anyone interested in cybersecurity, take note: The gold standard of cybersecurity is getting a needed polish. But all that glitters is not gold.
The National Institute of Standards and Technology’s (NIST’s) Framework for Improving Critical Infrastructure Cybersecurity (CSF) is often touted as the gold standard for building a robust cybersecurity program. But voluntary compliance with the framework has largely failed to generate effective cybersecurity, leaving critical infrastructure and other organizations vulnerable to serious cyber threats such as ransomware. Now, nearly a decade after its initial release, the CSF is undergoing a major overhaul to address changes in technology, risk, and the overall cybersecurity landscape. The updated framework (CSF 2.0) is due out in early 2024, but if NIST’s recently released draft is any indication, CSF 2.0 is unlikely to fundamentally improve the nation’s cyber posture.
The CSF was first released in 2014 to reduce cybersecurity risk to critical infrastructure, yet in the decade since, that risk has only increased. According to the intelligence community’s 2023 threat assessment, “China almost certainly is capable of launching cyber attacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines, and rail systems,” and more recent reports indicate that Chinese state-sponsored hackers already have infiltrated a wide array of U.S. critical infrastructure organizations including telecommunications and transportation hubs. Voluntary compliance with the CSF simply has not been sufficient to generate effective cybersecurity for critical infrastructure. This reality was brought home by the ransomware attack on Colonial Pipeline in 2021 and is reflected in the Biden administration’s subsequent decision to impose mandatory cybersecurity requirements in key critical infrastructure sectors, including oil and natural gas pipelines, aviation, rail, and water.
Nothing in CSF 2.0 is likely to change this state of affairs. CSF 2.0 explicitly expands the CSF’s scope beyond critical infrastructure to organizations of any size or sector, elevates the importance of cybersecurity governance, and emphasizes the importance of cyber supply chain risk management. But fundamentally, the framework is not changing. Like the original CSF, CSF 2.0 is a voluntary framework that offers high-level guidance for managing cyber risk and leaves to individual organizations the hard work of cobbling together an effective cybersecurity program from the alphabet soup of often-complex frameworks, standards, and guidelines referenced in the updated framework’s expanded “implementation guidance.” (These include NIST SP 800-53, SP 800-218, and SP 800-161r1, to name just a few.) Unfortunately, the framework’s high-level guidance is too general to be implemented, and its “implementation guidance” is too technical to be of practical use to most organizations absent expert help. (In this regard, it is worth noting that although the CSF originally was designed for critical infrastructure, as a practical matter it has been widely adopted, and CSF 2.0 is explicitly designed to be used by organizations of all sizes and sectors.)
CSF 2.0 is unlikely to solve the pressing cybersecurity problems facing U.S. schools, hospitals, and the many other “target rich, resource poor” organizations that find themselves on the front lines of the cyber fight. NIST’s CSF 2.0 draft leaves these organizations largely responsible for their own cybersecurity, even in the face of significant cyber threats from the nation’s most capable cyber adversaries (that is, China, Russia, North Korea, Iran, and organized crime syndicates). Last year, for example, educational institutions suffered nearly $9.45 billion in downtime alone due to ransomware, yet few such institutions have the requisite knowledge, resources, and budget to use the NIST framework to develop a cybersecurity program capable of staving off sophisticated ransomware syndicates. The administration’s newly launched effort to shore up the cybersecurity of K-12 schools implicitly recognizes this reality. While it nods to the NIST framework, it seeks, among other things, to leverage expertise and investment from Amazon Web Services, Google, Cloudflare, and other large educational technology providers and vendors to protect schools. Generating effective cyber resilience in the face of proliferating cyber threats will require more such concerted efforts to leverage expertise and investment for the benefit of vulnerable organizations.
Background: The NIST Cybersecurity Framework
The CSF traces its origins to Congress’s failure to pass the Lieberman-Collins Cybersecurity Act of 2012, which would have imposed mandatory minimum cybersecurity standards for critical infrastructures such as the electric grid, transportation systems, and financial networks. When intense industry opposition kept Congress from passing the bill—even in a modified form that merely incentivized voluntary adoption of minimum cybersecurity standards—President Obama issued Executive Order 13636 directing NIST to develop a technology-neutral voluntary cybersecurity framework for reducing cyber risks to critical infrastructure. One year later, the CSF was born.
Executive Order 13636 and the resulting CSF were the vanguard of a national effort to drive a risk-based approach to cybersecurity recognizing cyber risk as not just an “information technology” risk, but as a form of business risk properly addressed through enterprise risk management. This approach implements cybersecurity controls not in pursuit of a particular level of cybersecurity maturity, but as part of a program of prioritized investment designed to drive down enterprise risk.
The CSF serves as a useful starting point for reducing cybersecurity risk, but it is important to understand that it does not—and was not intended to—provide organizations with a checklist of actions necessary to meet desired cybersecurity outcomes. The CSF provides high-level guidance for managing cyber risk. Each organization’s implementation of the framework is different as each organization’s risks are unique (each has different threats, different vulnerabilities, and different risk tolerances).
The framework’s hallmark flexibility has facilitated its widespread adoption, with 30 percent of U.S. organizations reportedly using the CSF just one year after its issuance. Although the CSF originally was designed to help critical infrastructure organizations better protect their information and physical assets from cyberattack, it has been voluntarily adopted (or adapted) for use by organizations of all sizes and sectors, federal, state, and local governments, and countries around the world. (Indeed, “several federal, state and foreign governments, as well as insurance organizations have made the [CSF] mandatory for specific sectors or purposes. Some organizations may also require use of the [CSF] for their customers or within their supply chain.”) In the U.S., adoption of the framework is voluntary for the private sector but has been mandatory for federal agencies since May 2017.
The very flexibility that led to the framework’s widespread adoption also raises concerns: Given the lack of specificity as to what constitutes framework adoption, it is not clear how to assess whether an organization actually has adopted it. Were more granular cybersecurity guidance to be offered, lawyers increasingly might be tempted to view the framework as a baseline against which “reasonable security” could be judged. This point is particularly salient now as the administration is actively exploring ways to implement its goal—set forth in the 2023 National Cybersecurity Strategy—of reshaping the laws governing liability for harm caused by insecure software.
CSF 2.0 responds to significant changes in the cybersecurity landscape over the past decade. These include changes in:
- The cyber threat (e.g., the explosion of multi-extortion ransomware and the increasing prevalence of attacks leveraging advanced technologies such as artificial intelligence (AI), machine learning, and automation).
- Cybersecurity capabilities (e.g., zero-trust capabilities, automation to combat cyberattacks, secure software development).
- The workforce (e.g., the global cybersecurity workforce shortage).
- Technologies (e.g., the evolution of cloud service and deployment models and accompanying cloud security risks; advancements in AI, machine learning, quantum computing, and encryption).
- The availability of resources to help organizations to better manage cybersecurity risk.
The draft CSF 2.0 retains the original framework’s essential elements. CSF 2.0 is voluntary for the private sector; takes a risk-based approach to cybersecurity (focusing on the cybersecurity outcomes that organizations seek to achieve rather than the specific controls that must be implemented); and retains the essential structure of the CSF, which comprises three main components:
- Core. The CSF core organizes desired cybersecurity outcomes around five “functions”: identify, protect, detect, respond, and recover. (CSF 2.0 adds a sixth: govern.) These functions are the key elements of effective cybersecurity.
- Tiers. The CSF tiers describe how cybersecurity risk is managed by an organization. Organizations choose the tier that meets their goals, reduces cyber risk to an acceptable level, and is feasible to implement. Progression from tier 1 to tier 4 reflects an increasing degree of sophistication in cyber risk management processes.
- Profiles. The CSF profiles help organizations “establish a roadmap” for cybersecurity risk reduction. They describe an organization’s “current” and “target” cybersecurity posture and help organizations to progress from one to the other.
The draft CSF 2.0 incorporates the following key changes:
Expanded Scope: CSF 2.0 is broader in scope than the CSF. While NIST’s original framework was designed to protect critical infrastructure, the new framework is designed explicitly to be used by organizations of all sizes and sectors, including small businesses. This change reflects not only the reality that CSF has been widely adopted well beyond critical infrastructure organizations but also the fact that Congress explicitly directed NIST to consider the needs of small businesses in connection with the framework. The framework’s expanded scope is reflected in the title of the new draft framework (which has changed from “Framework for Improving Critical Infrastructure Cybersecurity” to “The NIST Cybersecurity Framework 2.0”) as well as its text (language limiting the focus to critical infrastructure has been revised to include all organizations).
Governance: CSF 2.0 builds on the CSF’s risk-based approach to cybersecurity. CSF 2.0 recognizes that profound changes over the past decade—the explosion of cyber threats, accelerating global connectivity, advances in technology such as AI and quantum computing, and unprecedented reliance on information technologies and industrial control systems—have made cybersecurity a major source of enterprise risk (including business interruption, breach of privacy, and financial losses). To address these changes, CSF 2.0 elevates the importance of governance and identifies cyber risk as a consideration for senior leadership, on par with legal, financial, and other sources of enterprise risk.
The original framework identified five pillars of a successful cybersecurity program: identify, protect, detect, respond, and recover. CSF 2.0 adds a sixth: govern. The new governance function addresses how an organization makes decisions to support its cybersecurity strategy, and it is designed to be cross-cutting: It will inform and support the other five functions.
Supply Chain Risk Management: Supply chain risk management (SCRM) refers to the activities necessary to manage cybersecurity risk associated with external parties. (For example, how might a small business manage the risks associated with using a cloud service provider?) Simply stated, supply chains introduce cyber risk to an organization. Common supply chain cyber risks include malware attacks (for instance, the SolarWinds and NotPetya commercial supply chain attacks), ransomware attacks, data breaches (for instance, the Equifax data breach was the result of an open-source supply chain attack), and cybersecurity breaches.
As organizations increasingly rely on third parties, supply chain risks—including cyber risk—proliferate. Supply chain attacks can originate from any third parties with access to an organization’s system, including data management companies, law firms, email providers, web hosting companies, subsidiaries, vendors, subcontractors, and any externally sourced software or hardware used in the organization’s system. Cyber supply chain risks include tampering, theft, unauthorized insertion of code or components into software or hardware, and subpar manufacturing practices. Organizations that do not adequately manage supply chain risks are more likely to sustain a cyberattack.
The original CSF was criticized for inadequately addressing SCRM. In April 2018, NIST released a minor update to the CSF (dubbed CSF 1.1) that specifically addressed application of the framework to cyber supply chain risk management and, among other things, added a SCRM category to the framework core. Managing cybersecurity within the supply chain was one of the key changes to the CSF reflected in CSF 1.1.
The CSF 2.0 draft goes even further. While NIST explicitly decided against adding a seventh function focused on SCRM, CSF 2.0 provides additional details on third-party risk, integrates supply chain guidance into the new governance function, and provides that cybersecurity risk in supply chains should be taken into account as an organization performs all framework functions (not just governance). Among the changes is new SCRM language. In particular, CSF 2.0 specifies the following as desirable outcomes:
- Suppliers are “known and prioritized by criticality[.]”
- “Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships[.]”
- “Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle.”
Zero-Trust Architectures (ZTA): The relationship between CSF 2.0 and ZTA principles is an area of interest for many stakeholders. Zero-trust security is an alternative to the traditional “perimeter security” model. The traditional model automatically trusted users and end points within the organization’s perimeter. In contrast, the zero-trust model is a “deny by default” security framework that takes a “never trust, always verify” approach to security. ZTA has been formally established as a key element in establishing cybersecurity for the federal government for several years.
At least one stakeholder submitted comments prior to the release of CSF 2.0 urging NIST to add a new subcategory (within the framework’s protect function) to reflect implementation of a zero-trust architecture as a desired outcome. NIST did not include such a subcategory in the CSF 2.0 draft. Nor did NIST comply with a stakeholder request to revise the framework to include best practices consistent with implementation of a ZTA, including the use of multifactor authentication and comprehensive logging.
Recent events underscore the importance of such practices. In July, for example, after a Chinese-based espionage group hacked government email accounts, it was the government’s review of security logs that enabled it to identify the breaches. Nonetheless, NIST opted not to revise the framework to include these practices but instead to direct organizations to other resources for ZTA guidance. Specifically, NIST directed organizations to “look for resources that are specific to their technologies” and provided a link to NIST SP 800-207, which discusses the logical components of a zero-trust architecture but is not, itself, a road map for ZTA implementation. NIST continues to review the relationship between CSF and ZTA principles and has noted that, as part of its so-called Zero Trust Architecture project, it is in the process of developing a guide that demonstrates how commercially available technologies can be used to build different types of ZTAs.
Cloud Security: The relationship between CSF 2.0 and cloud security is another area of interest for many stakeholders. The original CSF addressed cloud security but focused on cases in which an organization managed and secured its own cloud infrastructure. This use case is no longer dominant. Today’s organizations are increasingly migrating to cloud environments in which third-party companies take legal and operational responsibility for managing the cloud. (For example, in platform-as-a-service and software-as-a-service cloud computing models, management of the underlying infrastructure is outsourced.)
CSF 2.0 addresses some of the shortcomings with the original CSF, enabling organizations to better use the framework to define shared responsibility models with cloud service providers, and CSF 2.0 facilitates some degree of oversight in cloud-hosted environments through its expanded governance and supply chain risk management provisions.
In addition, NIST’s updated framework is designed to allow its broad outcomes to be leveraged by organizations using cloud services and other technologies. Specifically, CSF can be mapped to more specific cloud security references to provide additional guidance, but much work remains to be done in developing these cloud security reference materials, as reflected in NIST’s commitment to “work with the community to encourage and enable the production of mappings which support the CSF 2.0.”
Expanded Implementation Guidance: To help organizations achieve the cybersecurity outcomes set forth in the framework, CSF 2.0 offers expanded “implementation examples” and “informative references.” While both resources are considered part of the framework, NIST will maintain them separately from the framework to facilitate more frequent updates.
Implementation examples provide expanded guidance on implementing the framework. They do not list all actions that could be taken to achieve an outcome, nor do they identify the minimum measures required to address cybersecurity risk. Rather, they are “action-oriented examples” designed to help organizations understand “core” outcomes and the initial steps that can be taken to achieve such outcomes.
NIST has released a separate discussion draft of the CSF 2.0 implementation examples and has encouraged the submission, at any time, of new examples for consideration. To further assist organizations seeking to implement the framework, the implementation examples will be available via a searchable online tool. One context in which such examples might be useful is cloud security, where implementation examples could, for example, be tailored to different cloud deployment models (e.g., public, private, and hybrid cloud), with specific security controls recommended for each model.
Finally, the framework does not mandate how an organization must achieve the outcomes set forth in the framework’s core, so organizations often couple the framework with more technical “informative references,” such as NIST 800-53, the security controls for federal information systems. NIST has encouraged the submission of informative references at any time. Informative references include standards, guidelines, regulations, and other resources to help inform how an organization achieves the outcomes set forth in the framework.
An important goal of CSF 2.0 is to describe how organizations can draw on existing technology frameworks, standards, and guidelines to implement the CSF. Toward this end, NIST plans to release a CSF 2.0 reference tool that eventually will provide “information references” showing the relationship between CSF and other resources (e.g., ZTA resources) so that it is easier to use the framework along with other guidance to manage cyber risk.
To be sure, NIST’s CSF 2.0 draft represents an improvement over the current NIST cybersecurity framework, but it is unlikely to fundamentally improve the United States’ cybersecurity posture. Like the CSF, CSF 2.0 is voluntary for the private sector, technology and vendor neutral, and offers high-level guidance for managing cyber risk. But much more is necessary to generate effective cybersecurity against the nation’s most capable adversaries. Advanced technologies, expertise, and investment must be properly leveraged to secure our digital future.
For example, NIST’s draft makes no mention of AI, save for a passing reference to NIST’s AI Risk Management Framework, yet the nation’s adversaries already are exploiting machine learning (e.g., to automatically generate new malware variants capable of evading defenses) and exploring ways to use generative AI to further their purposes. Meeting the cyber threat will require, among other things, an exploration of the role of AI in cybersecurity including via “human-machine collaboration,” which has the potential to support cyber resilience at scale in the face of sophisticated adversaries by automating security functions, accelerating decision-making, and supporting advanced security functions such as threat hunting.
CSF has long served as a starting point for a broad spectrum of organizations looking to begin, or continue, their journey of implementing a risk-based approach to cybersecurity, but if the overall cybersecurity posture of these organizations is any indication, we can, and must, do better.
Comments on the CSF 2.0 draft are due to NIST by Nov. 4 and will be used to develop the final CSF 2.0, which is slated for release in early 2024.