Interpreting the new NIST Cybersecurity Framework

The National Institute of Standards and Technology recently published the first-ever update to its widely adopted Cybersecurity Framework, implementing significant revisions that all sectors can benefit from as they look to improve their cyber-security efforts.

NIST first published its voluntary Cybersecurity Framework in February 2014 in response to an executive order issued by the Obama Administration. At the time, the focus of the framework was on 16 critical infrastructure sectors—such as financial services, energy, transportation, communications, and defense. But it has since been widely embraced by all sectors as a useful yardstick against which companies can measure their cyber-security practices relative to the threats they face.

On April 16, NIST published Cybersecurity Framework version 1.1, incorporating feedback received by those in government, industry, and academia since release of the first version. “Cyber-security is critical for national and economic security,” Secretary of Commerce Wilbur Ross said in a statement. “The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must do.”

At a high level, the NIST Cybersecurity Framework is composed of three parts: The core; implementation tiers; and profiles. The core is a set of cyber-security activities, desired outcomes, and relevant references common across critical infrastructure sectors.

The core consists of five key functions:

Identify: What processes and assets need protection?

Protect: What safeguards are available?

Detect: What techniques can identify cyber-incidents?

Respond: What techniques can contain the impact of a cyber-incident?

Recover: What techniques can restore capabilities?

Together, these functions provide a high-level, strategic view of a company’s cyber-security risk management lifecycle. The core additionally consists of underlying categories and sub-categories for each function, paired with informative references—such as existing standards, guidelines, and practices for each subcategory.

The second component—the four key implementation tiers—provides further context around how a company views cyber-security risk and the processes in place to manage that risk. Tiers describe the degree to which an organization’s cyber-security risk management practices exhibit the characteristics defined in the Framework and “reflect a progression from informal, reactive responses to approaches that are agile and risk-informed,” the Framework states. “During the Tier selection process, an organization should consider its current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.”

The third component of the framework—profiles—represents the outcomes based on business needs that a company has selected from the Framework categories and sub-categories. The focus here is customization. “When 108 sub-categories are all of equal importance, really none of them are important,” Matt Barrett, NIST’s program manager for the Cybersecurity Framework, said during a live Webinar last week.

According to the Framework, a company can develop a profile by reviewing all categories and sub-categories and, based on its business drivers and a risk assessment, determine which are most important. It can then add categories and sub-categories, based on the company’s risks.

Key enhancements

The new version was designed to be compatible with the original, so that companies do not have to abandon their use of version 1.0. “We wrote this update to refine and enhance the original document and to make it easier to use,” Barrett said.

“The voluntary NIST Cyber-security Framework should be every company’s first line of defense. Adopting version 1.1 is a must do.”
Wilbur Ross, Secretary of Commerce

Among the key enhancements, version 1.1 includes a newly added section on how to use the framework for self-assessment purposes; adds further clarification on how to apply the framework to cyber-security supply-chain risk management; and refines key terms concerning authorization and authentication methods.

Below is a description of these enhanced sections:

Self-assessing cyber-security risk. Self-assessment has always been an important part of a strong cyber-security plan, and so companies should welcome new section 4.0 describing how companies can use the Framework to assess their cyber-security risk. “Not only is this about self-assessments, but it’s about stressing the linkage between business results, the costs, and the benefits,” Barret said.

As stated in the Framework, the better an organization can measure its risk, costs, and benefits of cyber-security strategies and steps, “the more rational, effective, and valuable its cyber-security approach and investments will be. Over time, self-assessment and measurement should improve decision making about investment priorities.”

“For example, measuring—or at least robustly characterizing—aspects of an organization’s cyber-security state and trends over time can enable that organization to understand and convey meaningful risk information to dependents, suppliers, buyers, and other parties,” the Framework stated. Companies can achieve this either internally or through a third-party assessment.

Cyber supply chain risk management (SCRM). Cyber SCRM is the set of activities necessary to manage cyber-security risk associated with external parties. Specifically, cyber SCRM addresses the cyber-security effect a company has on external parties, and vice versa.

A primary objective of cyber SCRM is to identify, assess, and mitigate “products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the cyber supply chain,” the Framework states.

ESTABLISHING OR IMPROVING A CYBER-SECURITY PROGRAM

The following steps illustrate how an organization could use the Framework to create a new cybersecurity program or improve an existing program
Step 1: Prioritize and Scope. The organization identifies its business/mission objectives and high-level organizational priorities.  With this information, the organization makes strategic decisions regarding cybersecurity implementations and determines the scope of systems and assets that support the selected business line or process. The Framework can be adapted to support the different business lines or processes within an organization, which may have different business needs and associated risk tolerance. Risk tolerances may be reflected in a target Implementation Tier.
Step 2: Orient. Once the scope of the cybersecurity program has been determined for the business line or process, the organization identifies related systems and assets, regulatory requirements, and overall risk approach. The organization then consults sources to identify threats and vulnerabilities applicable to those systems and assets.
Step 3: Create a Current Profile. The organization develops a Current Profile by indicating Which Category and Subcategory outcomes from the Framework Core are currently being achieved. If an outcome is partially achieved, noting this fact will help support subsequent steps by providing baseline information.
Step 4: Conduct a Risk Assessment. This assessment could be guided by the organization’s overall risk management process or previous risk assessment activities. The organization analyzes the operational environment in order to discern the likelihood of a cybersecurity event and the impact that the event could have on the organization.  It is important that organizations identify emerging risks and use cyber threat information from internal and external sources to gain a better understanding of the likelihood and impact of cybersecurity events.
Step 5: Create a Target Profile. The organization creates a Target Profile that focuses on the Assessment of the Framework Categories and Subcategories describing the organization’s desired cybersecurity outcomes. Organizations also may develop their own additional Categories and Subcategories to account for unique organizational risks. The organization may Also consider influences and requirements of external stakeholders such as sector entities, customers, and business partners when creating a Target Profile. The Target Profile should appropriately reflect criteria within the target Implementation Tier.
Step 6: Determine, Analyze, and Prioritize Gaps. The organization compares the Current Profile and the Target Profile to determine gaps. Next, it creates a prioritized action plan to address gaps–reflecting mission drivers, costs and benefits, and risks–to achieve the outcomes In the Target Profile. The organization then determines resources, including funding and workforce, necessary to address the gaps. Using Profiles in this manner encourages the organization to make informed decisions about cybersecurity activities, supports risk management, and enables the organization to perform cost-effective, targeted improvements.
Step 7: Implement Action Plan. The organization determines which actions to take to address the gaps, if any, identified in the previous step and then adjusts its current cybersecurity Practices in order to achieve the Target Profile. For further guidance, the Framework identifies example Information References regarding the Categories and Subcategories, but organizations should determine which standards, guidelines, and practices, including those that are sector specific, work best for their needs. An organization repeats the steps as needed to continuously assess and improve its cybersecurity.
Source: NIST Cybersecurity Framework

Cyber SCRM activities may include:

Determining cyber-security requirements for suppliers;

Enacting cyber-security requirements through formal agreement (e.g., contracts);

Communicating to suppliers how those cyber-security requirements will be verified and validated;

Verifying that cyber-security requirements are met through a variety of assessment methodologies; and

Governing and managing the above activities.

Authentication and identity.  In version 1.1, NIST retitled the category “Access Control” to “Identity Management and Access Control” and added new refinements to better account for authentication, authorization, and identity proofing. “Here, we start to get into some nitty-gritty technical details around the ‘protect’ function of the cyber-security framework,” Barrett explained. Specifically, the protect function discusses appropriate safeguards to develop and implement and supports the ability to limit or contain the impact of a potential cyber-security event.

Critical timing

The NIST cyber-security framework comes a time when cyber-attacks are on the rise and as federal agencies and Congress are drawing increasing attention to the problem on a global scale.

“This update adds timely guidance about managing supply-chain cyber-security risk like those that Russians exploited to damaging effect with the NotPetya malware,” Rep. James Langevin (D-R.I.) said during a congressional hearing on April 18. In June 2017, Russian threat actors of the NotPetya ransomware-like worm exploited weaknesses in legacy unencrypted network management protocols to steal credentials, personal data, and sensitive corporate information.

Additionally, the Framework comes at a time when the Department of Homeland Security (DHS) launched a voluntary initiative, calling on companies to identify and mitigate systemic risk in supply chains. “We are working with users, buyers, tech manufacturers, and others to hunt down unseen security gaps—and to share actionable information that will help close them,” DHS Secretary Kirstjen Nielsen said in a keynote address at the 2018 RSA Conference. “This includes identifying companies in the supply chain whose risks might go unnoticed.”

“We need your help,” Nielsen said. “We ask you to work with us to identify systemic risks, to flag emerging ones, and to work with us to fix them.”

In another development, issued the same week as the Framework, U.S. and U.K. authorities released a first-of-its-kind joint advisory in response to malicious cyber-activity carried out by the Russian government. The advisory provides information on the worldwide cyber-exploitation of network infrastructure devices (e.g. routers, switches, firewalls, Network-based Intrusion Detection System devices) by Russian state-sponsored cyber-actors.

“This is the first time that, in attributing a cyber-attack to Russia, the United States and the United Kingdom have, at the same time, issued joint advice to industry about how to manage the risks from the attack,” National Cyber Security Centre CEO Ciaran Martin said in a statement. “It marks an important step in our fight back against state-sponsored aggression in cyber-space.”

By making the Framework easier to understand and implement, NIST hopes it will help to widen its influence, which is critical at a time when cyber-attacks are only proliferating in volume and complexity.