What’s new in the NIST Cybersecurity Framework (CSF) v1.1
On April 16, 2018, NIST published Framework for Improving Critical Infrastructure Cybersecurity Version 1.1
“Where do I start?”
It’s a common question for organizations that are trying to get their arms around the sprawling issues of cybersecurity and risk management. For most, this question eventually leads them to the NIST Cybersecurity Framework (CSF). Since it was published in 2014, it has been a frequent starting point. It’s not perfect, but it has provided a common language and structure for discussing and improving security. Thousands of organizations are now using the framework. And that’s a good thing.
It’s safe to say we’re fans of the NIST CSF here at Expel. We use it to help manage our own cyber risk and to help communicate our needs and plans to our customers and suppliers. We’ve created a “How to get started” guide and free NIST CSF self-scoring tool that lets you chart your “as is” and “to be” states using the framework in a couple of hours. If you’re looking to get started with the framework it should help quite a bit.
Now, after 4 years, many comments, questions, and suggestions, NIST has officially released version 1.1 of the Cybersecurity Framework. Not much has changed between draft 2 of v1.1, which was published for comment in December 2017 and the final release.
Version 1.1 is still compatible with version 1.0, so the changes to the framework aren’t earth shattering. They’re largely refinements based on feedback from the community. In case doing a “stare-and-compare” of the original and updated frameworks isn’t your idea of fun, I’ve highlighted three important changes below.
1. Assess yourself first … then measure
It has always been difficult for some organizations to use the framework because NIST didn’t provide clear guidance on exactly what to use it for. While the initial Framework talked about tiers of implementation, there wasn’t much discussion on how to actually grade yourself or other ways to measure how well you were doing from a cybersecurity perspective. It was brand new back in 2014 so that makes sense. The updated version fills in some of those gaps. Specifically, Section 4, which used to be called “Measuring and Demonstrating Cybersecurity” has been re-christened “Self-Assessing Cybersecurity Risk with the Framework.” While both names are equally dry (hey…what do you expect from a standards body), they cut to the core of how to operationalize the framework.
Self assessments are key to understanding your “as is” state and formulating a plan for improving your organization’s cybersecurity. In fact, they’ve been one of the framework’s big successes. By focusing Section 4 on self-assessment, NIST is making sure organizations that are new to the framework focus on one of the framework’s primary use cases.
2. Supply chain risk management (SCRM) — now with real guidance
It’s no secret that supply chain partners are often the soft underbelly for attackers looking for a way in. But answers for how to protect the supply chain are harder to come by. Past versions of the NIST framework highlighted SCRM as an important component of a cybersecurity program. But they didn’t really say anything else.
The new version of the framework adds a lot more detail and integrates SCRM with the rest of the framework. It feels a lot more complete. So, if you’re one of those people who’ve been beating the SCRM drum for three…or…five…or…ten years, you’ll find new ammunition to beat the drum even louder. There are several pages on managing risks in your supply chain through third party assessments, targeted security controls and holding suppliers accountable.
3. External participation – when and how you should get outsiders involved
The final notable change I want to call out relates to when and how you should get outside parties involved in your program.
As a quick refresher, NIST defines four tiers of maturity. It starts with Tier 1, which NIST charitably calls “Partial”. This includes organizations that only deal with cyber risk when they’re forced to. Fast forward to Tier 4 (aka “Adaptive”) organizations and you’re looking at risk management machines. NIST ranks each tier according to risk management processes, integrated risk management programs and…you guessed it…external participation.
But previous versions of the framework didn’t give the reader much to go on when it came to external participation. There was a sentence or two describing what was appropriate for that tier. But not enough to build into your program. The new definitions are much more complete. They include discussion on external communication, the broader community and guidance on how to interact with supply chain stakeholders.
Overall, version 1.1 of the NIST framework feels a lot more complete to me than version one. That’s not surprising given we’ve had three years to digest and use it. In addition to the practical experience, our understanding of cyber risk has continued to evolve.
If you’ve thought about using the NIST framework before but felt it was too daunting, now might be a time to take another look. If, on the other hand, you’re already using NIST I’d suggest taking a look at the three sections I’ve highlighted above to see if they can help focus your implementation by turning some of the more theoretical aspects of the NIST framework into tangible things you can go execute on.
Either way, I recommend checking out our blog post, “How to get started with the NIST Cybersecurity Framework (CSF).” It’s a (hopefully) easy-to-understand overview that we’ve written to help people put the NIST CSF into practice. We’ve also updated our NIST CSF self-scoring tool to reflect tweaks to the Supply Chain Risk Management and Identity Management and Access Control subcategories. If you used the previous version of our tool, there’s no need to re-do you work. The changes are all small modifications and don’t change the overall approach.