Analysis
Attacks and Vulnerabilities
News
NIST
Regulation, Standards and Compliance
Risk & Compliance
Technology & Solutions
Threat Landscape

NIST provides initial summary analysis of RFI responses, as it progresses towards CSF 2.0 draft framework

June 06, 2022
NIST provides initial summary analysis of RFI responses, as it progresses towards CSF 2.0 draft framework

The National Institute of Standards and Technology (NIST) released an initial summary analysis of responses to its Request for Information (RFI) on evaluating and improving the NIST Cybersecurity Framework (CSF), use of the framework in conjunction with other resources, and improving supply chain cybersecurity risk management. The agency is planning a significant update to the Framework, often referred to as CSF 2.0, based on stakeholder feedback, to reflect the evolving cybersecurity landscape and to help organizations more easily and effectively manage cybersecurity risk. 

The RFI call was made by the U.S. ​​Department of Commerce in February this year. The agency received over 130 RFI responses, including comments submitted jointly by multiple organizations or associations representing numerous organizations. Advancement towards the CSF 2.0 framework has involved public-private partnership that focuses on identifying tools and guidance for technology developers and providers, as well as performance-oriented guidance for those acquiring such technology. The CSF 2.0 framework will follow the agency’s last update in April 2018. 

“Adjudication of the comments will continue over the next several months, but in the near term, NIST has released a summary analysis document that will guide our work,” Cherilyn Pascoe, senior technology policy advisor at the NIST, wrote in a blog post on Friday. 

Based on a review of the responses, NIST identified commonalities and key areas of agreement and differences, according to the NIST update. “These are identified as seven themes and 25 subthemes. Of these, six themes and 20 subthemes apply to the Cybersecurity Framework. One additional theme and five subthemes apply to NIICS, recognizing that there may be some overlap with the Framework,” it added. 

NIST analyzed each RFI response to assess respondent information, including sector, size, and organization type; identify specific recommendations for the framework update, including which sections of the framework or other topics are addressed by the response; and pick out key points, commonalities, and recurring concepts among the responses, which are reflected in the themes.

Pascoe said that during the comment reviews, it was a pleasure to read about how organizations are using the NIST Cybersecurity Framework. “The majority of the commenters agreed that the Framework is currently effective as a tool for understanding and managing cybersecurity risks. In addition, it has allowed organizations to improve communication between IT and non-IT audiences, including senior management. Because of this important feedback, we will be cognizant of the need to avoid changes that would limit its widespread use. Therefore, we do not envision significant changes to the CSF structure – the Tiers, the Core, and the Profiles – but you can expect to see modifications throughout the Framework,” she added.

There was considerable feedback recommending alterations or additions to the Framework Core to address governance, supply chain security, secure software, and emerging technologies, Pascoe said. “The RFI specifically asked about whether and how to incorporate supply chain cybersecurity or third-party risk into the CSF, which will be a significant focus for NIST as we proceed with this update. In addition, we expect continued lively discussion on the Tiers and whether they should be used to assess the maturity of an organization’s cybersecurity posture or risk management processes,” she added.

Another reason why NIST is looking toward a CSF 2.0 is “because of the way we will approach the application of the Framework. We will seek to develop new interactive and machine-readable formats for this resource,” according to Pascoe. 

Also, to keep the CSF simple and flexible, NIST will improve awareness of how the National Online Information References Program (OLIR) can be used to map the CSF to other NIST and non-NIST cybersecurity frameworks and guidance, Pascoe said. Additionally, NIST intends to develop implementation guidance for the Framework to provide organizations with more guidance on how to use the CSF, particularly for organizations that are just starting to develop their cybersecurity programs, she added.

The first theme focused on maintaining and building on the key attributes of the CSF with the update. Some of the desired attributes of the CSF, including its flexible, simple, easy-to-use, and voluntary nature – have been beneficial for implementation by organizations of varying sizes and sectors. In addition, the framework has been effective in enhancing communication within and across organizations. 

The subthemes included that the CSF is widely used and effective in helping organizations understand and manage cybersecurity risks, and its flexible and voluntary nature has been beneficial for implementation by organizations of varying sizes and capabilities. It has also ensured that the CSF is simple and easy to use, keeps the CSF effective in enhancing communication with non-IT and security stakeholders, including the C-suite, and maintains backward compatibility. 

The second theme of the CSF 2.0 draft framework highlighted the need to retain and improve the alignment of the CSF along with other NIST and non-NIST resources and models. Commenters also shared feedback about the role that governance of cybersecurity risk management can play in the CSF, especially as the CSF has historically been valued as a process that supports the coordination of cybersecurity activities throughout the enterprise. However, feedback varied on how to address governance in the CSF. 

Here the subthemes covered the alignment of the CSF with recent NIST efforts reflected in a variety of resources, making it easier to understand how the CSF can be used with other cybersecurity guidance and providing more mappings with the NIST National OLIR and Informative References. It also addressed the important role of governance in cybersecurity risk management, although there are several different approaches for doing so. It also improves alignment between the CSF and NIST privacy resources, engages with other federal agencies to ensure effective use of the CSF for policy, legal, and regulatory purposes, and increases international collaboration and engagement, including alignment with the ISO 27000 series. 

The next theme offered more guidance for implementing the CSF, which has been designed to be technology- and vendor-neutral, and to apply across sectors. As such, the level of detail and specificity in the CSF reflects the scalability and flexibility necessary to meet the needs of various stakeholders – small and large organizations in various sectors.  

The subthemes offered more guidance on CSF implementation and provided specific guidance on developing CSF profiles. 

The fourth theme said that the NIST must ensure that the CSF remains technology-neutral, but allows it to be readily applied to different technology issues, including new advances and practices.

The subthemes called for ensuring that the CSF remains technology-neutral while providing guidance on how it is used to address cybersecurity risks in IT, OT, and IoT. It also considers the importance of software security, either as part of the CSF or in conjunction with the CSF, and ensures that the CSF 4 remains technology-neutral yet can be applied to specific and emerging topics such as cloud, hybrid work, and zero trust.

The fifth theme emphasizes the importance of measurement, metrics, and evaluation in using the CSF. Numerous stakeholders indicated a need for additional CSF guidance and resources to support cybersecurity metrics and measurement. Many described an opportunity to improve the measurement of cybersecurity risk management in the CSF update. Some comments called for more specific guidance regarding how to measure the achievement of CSF outcomes.

Its subthemes consider and highlight how the CSF is used as an assessment tool, including taking into account additional guidance on assessment for self, suppliers, products, and services. It also provides a means to measure CSF implementation, expand on (or, in contrast, remove) tiers, and include (or do not include) guidance on maturity models.

The next theme of the CSF 2.0 draft framework focused on considering cybersecurity risks in supply chains in the CSF. Responses broadly supported increased references to supply chain risk management in the updated CSF. Many commenters considered whether a new supply chain-specific framework is needed and recommended expanding and improving the CSF to address that need rather than creating another model. The single subtheme focused on addressing supply chain risks, either in the CSF or separately.

The seventh and last theme covered the use of the National Initiative for Improving Cybersecurity in Supply Chains (NIICS) to align practices and provide effective practices, guidance, and tools to bolster cybersecurity supply chain risk management. Comments also provided input on cybersecurity challenges in supply chains to help NIST scope NIICS. This effort will emphasize tools, technologies, and guidance focused on the developers and providers of technology. At the same time, there is a need among those acquiring products and services for cohesive, practical, performance-oriented guidance to address the broader cybersecurity risks to the security and resilience of all supply chains. 

The commenters broadly recognized the importance of cybersecurity supply chain risk management (C-SCRM), especially in light of recent security incidents. Many organizations, particularly small enterprises, recognize the importance of C-SCRM but are resource-constrained, so having a single clearinghouse for guidance, templates, tools, and information sharing would be of great benefit.

Its subthemes included aligning cybersecurity supply chain risk management practices, including federal activities and resources, offering more guidance on component inventories, such as software bill of materials and hardware bill of materials, and engaging in open-source software security issues. It also offers more guidance on supplier relationship management and contracts. There are opportunities for NIICS to research, analyze, and develop tools and techniques for better managing cybersecurity risks in supply chains. 

NIST intends to continue to rely on and seek stakeholder feedback throughout the process. This will include public webinars and workshops, as well as seeking feedback on at least one CSF 2.0 draft.

In April, the NIST rolled out an initial public draft that guides how to improve the security of operational technology (OT) systems while addressing their performance, reliability, and safety requirements. The NIST SP 800-82 document provides an overview of OT and typical system topologies, identifies typical threats to organizational mission and business functions SCRM supported by OT, describes typical vulnerabilities in OT, and provides recommended security safeguards and countermeasures to manage associated risks.

The agency also released a draft document that applies the NIST Cybersecurity Framework to the ground segment of space operations with an emphasis on assuring satellite command and control.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights