Wednesday, May 17, 2017 By Chris Gonsalves, IANS Director of Technology Research
After several rounds of public comment, the long-awaited update to The National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity is nearing completion with proposed changes to most sections of the popular document that address supply-chain risk, access controls, information sharing, infosec metrics, and more.
“We wrote this update to refine and enhance the original document and to make it easier to use,” said Matt Barrett, NIST’s program manager for the Cybersecurity Framework. “This update is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation.”
>> Hear IANS Faculty Dave Shackleford discuss proposed NIST changes in our IANS Information Security Podcast
NIST’s Framework for Improving Critical Infrastructure Cybersecurity (CSF for short) was released in February 2014 as part of the U.S. Cyber Security Enhancement Act of 2014. The three sections of the framework – the Core, the Profile and the Implementation Tiers – provide guidance for government agencies and private industry on best practices to mitigate information technology risk and strengthen security posture.
Key changes to the CSF in the latest draft, along with the IANS take from Dave Shackleford, IANS Faculty and principal at Voodoo Security, include:
- Added provisions for supply-chain risk management. This entirely new category within the Framework’s “Identify” function calls for “priorities, constraints, risk tolerances, and assumptions … to identify, assess and manage supply chain risks.” The category includes five new subcategories in the Core section to specifically address identification and management of supply-chain risk management processes and thorough vetting of suppliers and partners of critical information systems and services. The new section also covers contractual security obligations, performance audits, and joint BCDR testing.
Shackleford: “The supply chain is a nightmare. We’re bad at assessing our vendors (software, service providers, hardware, cloud providers, you name it). We need better standards and methods to approach reasonable controls questionnaires and assessment without going totally overboard. The new SCRM tier definitions are totally reasonable. This is one of the best additions in the new draft.”
- Expanded consideration of access controls. This category in the “Protect” function has been renamed from “Access Control” to “Identity Management, Authentication and Access Control.” The section clarifies and expands the definitions of “authentication” and “authorization,” and a new subcategory calls for identities that are “proofed and bound to credentials, and asserted in interactions when appropriate.”
Shackleford: “NIST could have done even more in this section. There is a huge, renewed focus on identity management and they really only scratched the surface by fleshing out the terms and concepts. This is a good start, but they don’t address identity providers, the nature of identity as a true isolation and policy boundary, etc. The best part is PR.AC-6 where they associate identities and credentials and align with ‘interactions,' but this will need more detail over time.”
- Prescriptive advice for demonstrating security value and effectiveness. A new CSF section deals with measuring cybersecurity in ways that can be used to demonstrate an organization’s cybersecurity posture to stakeholders through metrics and measures. NIST encourages correlating cybersecurity efforts to business outcomes for meaningful insight into how changes in granular security controls impact the completion of business objectives. “In the update we introduce the notion of cybersecurity measurement to get the conversation started,” NIST’s Barrett said. “Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion.”
Shackleford: “This is a very nebulous topic, and always has been. However, everyone is more engaged than they were when the Framework originated and executive teams want more insight into what’s happening. Similarly, operations teams need better metrics and this has been a traditionally weak area overall. The big question is: What are the right metrics? NIST can’t really determine that, of course. Nor do I think they’ll try.”
- Updated guidelines for information sharing. The updated draft also adds new language to existing subcategories in the “Identify” and “Respond” functions to further encourage the incorporation of information sharing into cyber risk management. NIST also encourages organizations to adopt privacy-aware policies when sharing information with external partners.
Shackleford: “It needs to be firmed up some, but the idea is right: we need more sharing. Whether that is through threat intelligence or other means, the government is right to be encouraging research and projects that can facilitate this.”
“Overall they’re moving in the right direction and they seem to be listening to the community,” IANS’ Shackleford said of the latest draft. “NIST is doing a great job balancing overall requests for changes with the obvious realization that many organizations are using this framework currently, and some are aligned with required compliance and regulatory controls, meaning they can’t just overhaul it all at once.
“However, they really need to add elements related to new technologies,” Shackleford said. The CSF doesn’t really even begin to address cloud, converged and software-defined environments, and how identity is changing to a core service model and isolation/segmentation method.
“At the very least, they should provide some basic recommendations for those moving in this direction,” Shackleford added. “Even core fundamentals are hard to quantify for the cloud today, and NIST could help move this effort along.”
Long Time Coming
The proposed changes to the NIST CSF are the product of a deliberate, if lengthy, process.
In an industry known for rapid shifts and frequent disruption, NIST officials first issued a 60-day request-for-comments period on the original CSF in December 2015. Fifteen months hence, the current draft version 1.1 was created from answers and commentary received from 105 organizations on 25 questions in four categories including: use of the framework; possible updates; information sharing; and, public-sector involvement in future framework governance.
“We received comments from a diverse group that included local, state, national and international governments, a cross section of the critical-infrastructure community, and a number of other types of organizations,” said Barrett. “The responses actually represent thousands of organizations because a large number of industry organizations submitted comments on behalf of all of their member companies.
“These comments provide strong input for the framework’s future and revealed that the number of organizations using the framework is growing,” he added.
In addition to the 60-day comment period, NIST, an agency within the U.S. Commerce Dept., also held a workshop last spring at its Gaithersburg, Md. headquarters to further discuss the feedback and field additional suggestions for improving the framework, officials said. The final comment period on the new v1.1 draft CSF ended in April. A second workshop will be held on the draft version in Gaithersburg later this month. No firm date has been set for release of a final update to the Framework, but officials speculated it could go live this fall.
According to Richard Cavanagh, acting associate director for laboratory programs at NIST, the organization remains committed to maintaining an inclusive approach, “informed by the views of a wide array of individuals, organizations, and sectors.
“This [feedback] is needed to carry out NIST's statutory responsibilities with the ultimate goal of assisting organizations as they seek to improve their cybersecurity risk-management practices,” Cavanagh said.
Public Sector Roots
The framework has proven popular among federal agencies, according to research by Dell Technologies. The Round Rock, Texas OEM’s poll of federal IT professionals last year found that 82 percent of government organizations are currently using the framework to improve security.
Additionally, 74 percent of framework users say the NIST document is serving as a foundation for their own cybersecurity roadmap, the Dell survey found. Sixty-eight percent say they look to the framework to improve organizational security and 39 percent use the framework to create a uniform approach to discussing security throughout their agency.
"As security threats continue to increase in sophistication and frequency, holistic, end-to-end security is crucial,” said Paul Christman, vice president of the federal solutions unit at Dell. “The NIST Cybersecurity Framework empowers agencies to identify, detect, protect, respond and recover from cyber threats, and it can serve as an excellent resource for government.
“Regardless of mission, industry, data type, or threat factor, organizations can use the NIST framework to strengthen their security posture, develop and enhance cybersecurity roadmaps, improve organizational security and create a uniform security language,” Christman added.