3 New NIST CF Changes Improve Enterprise Cybersecurity Risk Management
In January 2017, NIST (National Institute of Standards and Technology) released Draft Version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity, better known as the Cybersecurity Framework. While this framework is voluntary, it has been widely adopted across multiple industry verticals as a basis for evaluating cybersecurity maturity and identifying areas for improvement.
The first iteration of the framework was established in 2014 as a result of President Obama’s Executive Order 13636 (EO) “Improving Critical Infrastructure Security.” During its development, NIST collaborated with thought leaders in both the private and public sector to provide a comprehensive and industry agnostic best practice framework. It has been received quite positively, and its adoption rate is high.
Here is a brief overview of 3 new NIST changes in Draft Version 1.1 that will improve enterprise cybersecurity risk management:
1. Performance/Maturity Measurement
This traditionally “taboo” topic is desperately needed within cybersecurity. Not only does NIST intend to define a maturity and performance scale to assess how your program is evolving, but they also intend to establish a basis to compare investments in cybersecurity to business objectives and associated outcomes.
CIO’s/CISO’s will now be armed with a quantitative scale to measure/forecast investments in cybersecurity. This may also permeate to the insurance market, as there remains to be a gold standard for actuarial analysis for cyber insurance premium calculation. Filling out a ten-question questionnaire is by no means an acceptable form of due diligence or actual assessment of potential risk.
2. Supply Chain Risk Management
This is often an oversight, but the need for end to end, continuous monitoring of your ENTIRE security boundary is critical. The security standards established to secure your own enterprise should extend to the vendors and third parties you rely upon to run your business. These may be core business process providers, software products, data storage providers, etc.
Vendor risk management is a critical component of a complete cybersecurity program. A vendor’s unwillingness to furnish information on their security program or difficulty in producing collateral should raise red flags as they may be introducing additional operational risk.
3. Change to Access Control
NIST renamed the Access Control category to Identity Management and Access Control to underscore the management of individual identities and associated credentials from the time of creation to deactivation. Further, Version 1.1 emphasizes the concept of least privilege, giving user’s access only to the permissions required to complete their job, no more.
Overall, the first revision of the NIST CSF is a step in the right direction. Thus far the framework has provided a solid basis for preliminary evaluation of security programs’ current standing. With the forecasted changes, we expect greater adoption of the program. Crosswalks to other industry specific mandates are also expected as many security professionals grapple with measuring their current state and desired future state.
Estimates project that by 2020, 50% of U.S. companies will be using the Cybersecurity Framework. If you’d like to learn more about how to add new categories to your cybersecurity risk management practice, contact us today.