January 23, 2017
Last week, the National Institute of Standards and Technology (NIST) provided draft revisions to the NIST Cybersecurity Framework (CSF Version 1.1) for public comment.[1] While the NIST draft is subject to change, it is worthwhile to review to determine how the revised NIST CSF Version 1.1 may impact organizations.
NIST commented in its Jan. 12, 2017, press release that the revision will:
- Provide new details on managing cyber supply chain risk management (SCRM);
- Clarify key terms; and
- Introduce measurement methods for cybersecurity.
The framework continues to be voluntary guidance to organizations.
Key dates:
There are three key takeaways in the NIST draft, which we summarize below.
(1) NIST CSF Control Framework
The following table summarizes changes made to the NIST CSF control framework:
Added 8 Controls
- 5 controls for SCRM
- 3 controls for Protect
Approximately 5 controls clarified
(2) Cyber Supply Chain Risk Management
NIST has added a new category for SCRM practices. SCRM is now recognized as a critical consideration in the NIST Cybersecurity Framework, in recognition that many organizations are either outsourcing or considering outsourcing security services or key business processes to third parties or sharing sensitive information with them.
Protiviti has long recognized the importance of vendor assessments in managing cyber risks to an organization, as detailed in our latest joint study with Shared Assessments, 2016 Vendor Risk Management Benchmark Study: The Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management.[2]
The SCRM focus is new to the NIST CSF. For additional information on SCRM, please refer to NIST publication NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations.[3]
The federal Office of the Comptroller of the Currency (OCC) and other agencies have drafted regulations, titled Enhanced Cyber Risk Management Standards, that consistently reference SCRM concepts called external dependency management.[4]
In all, it is clear that the focus on third-party risk management is increasing.
(3) Section 4, “Measuring and Demonstrating Cybersecurity,” Is a New Section
This section contains suggestions on how to measure and demonstrate the effectiveness of cybersecurity. The framework recommends a close relationship between cybersecurity and business objectives. Metrics are separated into four categories: practices, process, management and technical.
NIST offers several examples of practical metrics or measures. Measurements should align to business objectives and should demonstrate a cause-and-effect relationship when possible. Different types of measures and metrics will be required to reflect the different components of the framework. Organizations should tailor the measures and metrics to their own level of maturity based on their implementation tier. Although that guidance is provided, the new Section 4 does not offer concrete examples of what, specifically, a cybersecurity metrics dashboard should contain.
Closing Thoughts
The revisions will help the NIST CSF more closely align with regulatory and industry hot topics such as identity and access management, SCRM vendor risk management, metrics, and cybersecurity threat intelligence. Protiviti has noted these missing areas during engagements such as cybersecurity assessments and cybersecurity strategy/program development. These areas were often discussion points for additional considerations beyond the NIST CSF assessment.
Our Cybersecurity Expertise
We have deep experience in cybersecurity metrics, vendor risk management and NIST CSF 1.0 assessments, along with overall cybersecurity program/strategy development, all of which align closely to the proposed updates to the NIST standard. We are in a unique position to help organizations develop their programs in alignment with the revised framework.