The U.S. government’s standards-setting body released a draft cybersecurity framework last week — the second iteration of the influential document first published in 2014. The new version provides guidance to companies about how to discuss and consider cybersecurity risks, particularly at the senior executive level, to keep up with novel threats.
The framework’s scope has expanded to explicitly cover cybersecurity for all organizations, not just those in critical infrastructure sectors such as banking. For organizations such as banks that voluntarily reference the framework in their cybersecurity practices already, many elements remain unchanged, and the framework mainly provides additional guidance for following established standards.
NIST has also added a sixth, cross-cutting imperative to the five core pillars it had in version 1.0 of the framework. Joining the five main pillars — recover, identify, respond, protect, and detect — is a new “govern” pillar.
Many banks have already started to integrate cybersecurity into key governance functions, such as risk management. In part this has been driven by the New York Department of Financial Services’ 2017 cybersecurity rule that holds banks responsible for conducting risk assessments, including of third parties.
The NIST framework’s new “govern” pillar calls on companies to “establish and monitor the cybersecurity risk management strategy, expectations, and policy,” including by integrating cybersecurity risk into organizations’ broader enterprise risk management.
While the framework does not prescribe to whom chief information security officers should report or whether chief risk officers should oversee cybersecurity, the new governance imperative “emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial and other risks as considerations for senior leadership,” according to a press release from NIST about the draft version 2.0 of the framework.
The framework also calls for “the senior executive level” of organizations to discuss “how cybersecurity-related uncertainties might affect achieving the enterprise’s mission and objectives.” It also includes some more specific guidance checkboxes for corporations to ensure they check, such as integrating cybersecurity into human resources practices and standardizing methods for calculating cybersecurity risks.
Accompanying the new draft standard is a list of examples of how organizations can implement each of the framework’s guidance items, such as creating responsibility matrices to document who in a corporation is responsible and accountable for supply chain risk management activities.
The new draft also includes guidance on how to adapt the framework to specific scenarios, also called profiles, to help corporations adapt the framework to specific cybersecurity threats. NIST maintains a list of examples of such profiles, including how to use the framework to manage risks associated with ransomware.
The new draft of the framework and the accompanying tools comes as a reflection of the need for NIST to up its game, according to NIST’s Cherilyn Pascoe, the framework’s lead developer.
“Many commenters said that we should maintain and build on the key attributes of the CSF, including its flexible and voluntary nature,” said NIST’s Cherilyn Pascoe, the framework’s lead developer. “At the same time, a lot of them requested more guidance on implementing the CSF and making sure it could address emerging cybersecurity issues, such as supply chain risks and the widespread threat of ransomware. Because these issues affect lots of organizations, including small businesses, we realized we had to up our game.”
The framework constitutes a “forward-looking initiative” that recognizes the universal relevance of cybersecurity, according to Eduardo Azanza, CEO of digital identity company Veridas.
“NIST’s addition of the ‘govern’ pillar to the cybersecurity framework reinforces the idea that cybersecurity should not just be a reactive procedure for organizations, but rather needs to be aligned with overarching business decisions on a daily basis,” Azanza said.
The draft framework comes five years after NIST released version 1.1 of the framework and nine years after version 1.0. Previous changes NIST has made to the cybersecurity framework have highlighted important industry trends and often demonstrated foresight.
For example, a primary change NIST made between the 2014 and 2019 versions of its cybersecurity framework was the expansion of the section on supply chain risk management, specifically the subsection focused on organizations’ relationships with technology suppliers and their communication with suppliers about their cybersecurity postures.
“A primary objective of cyber [supply chain risk management] is to identify, assess, and mitigate ‘products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the cyber supply chain,'” read the 1.1 standard, which quoted a 2015 NIST publication on supply chain risk management.
Cyberattacks against IT supply chains predated NIST’s 2014 and 2018 recommendations on the matter. Notable examples identified by NIST include the 2015 KingSlayer attack against 24 banks and financial institutions and many other large targets, the Petya and NotPetya ransomware attacks of 2017 against at least 2,000 mainly Ukrainian organizations.
Since then, supply chain attacks have gained more attention from cybersecurity professionals and affected more organizations. The number of compromised entities with access to multiple organizations’ data rose from 119 in 2017 to 1743 in 2022, according to a January report from the Identity Theft Resource Center released this year.
NIST will accept public comment on the draft framework until Nov. 4. The institute will also host a workshop in the fall to provide an opportunity for feedback and comments. Details are yet to be announced. The framework’s developers will not release another draft of the framework before the final version comes out, which NIST expects in early 2024.