The NIST Cybersecurity Framework (CSF) was initially developed in 2014 and was intended to be a living document, dependent on feedback from stakeholders. It was initially developed for critical infrastructure, such as hospitals and banking. It has had an update in 2018, largely addressing supply chain risk, and is evolving yet again. Here are five thoughts as I browsed the proposed update, located here: https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-20/ipd.
On August 8, 2023, NIST announced some key updates to the CSF. It aims to address some of the biggest criticisms of the framework I have heard. These have included:
- The CSF framework is too large and rigid to be adopted outside of government and compliance-focused organizations, thereby forcing an all-or-nothing approach.
- It does not address governance, risk appetite, and business requirements.
- It is difficult to read and understand.
- NIST has launched a CSF 2.0 reference tool (https://csrc.nist.gov/Projects/Cybersecurity-Framework/Filters#/csf/filters) as an online resource to browse, search, and export the framework in a human consumable format.
- My personal thoughts after reviewing the framework:
- The focus on governance, enterprise goals, and risk appetite is a giant step in the right direction given their goal of broadening it outside critical infrastructure. Whether they planned this, or it is a happy coincidence, it also addresses a gap in critical infrastructure as well. Many cybersecurity professionals do not understand risk management and have caused friction with management when management decides to accept risks. The misunderstanding on the cyber professionals’ end was that they should make this call instead of management, for fear that they will be blamed for the consequences. This is best addressed by a risk management culture, which I address further in point ‘c’ below.
- I browsed the reference tool and while there is some still a lot of data to digest and some technical jargon, there are clearer examples of how the controls may be implemented, which is helpful. The CSF export in Excel takes some trial and error to filter it to an easily digestible format.
- Framework profiles (https://www.nist.gov/cyberframework/examples-framework-profiles) have been established with the goal of tailoring the framework to specific industries. These do seem to help with the selection of the controls which may be important to those instances, and it also highlights the need for risk assessments and risk management strategy. This is helpful, however, to be fully successful the organization must have this tone and culture built in advance. Not a slight on the framework, just something to keep in mind with any framework.
The new framework is scheduled to be published in early 2024. NIST is asking for feedback by November 4, 2023.
For community financial institutions (FIs), I am still shy of anyone making a full declaration of compliance with the CSF. FFIEC guidance largely follows NIST, tailored for FIs, also FFIEC is the basis for examinations, so the safest bet is to follow FFIEC as closely as possible. I personally have found NIST to give clearer examples of how to implement controls, so I will reference those when FFIEC is unclear.
I do applaud NIST for giving the spotlight on governance and risk management, while it was baked into its five categories previously, it wasn’t regarded as its own discipline. This hopefully will open the pathway for success and more consistency across the board….and a better understanding among cybersecurity professionals and management.
If you have any questions on this framework or risk management, we would love to help. Contact us at support@bedelsecurity.com!