How the Cybersecurity Framework update impacts your agency
- By Joseph Giusti
The National Institute for Science and Technology’s 2014 Framework for Improving Critical Infrastructure Cybersecurity v. 1.0 -- otherwise known as the Cybersecurity Framework -- is foundational guidance that has become a cornerstone of the cybersecurity industry. Although specifically focused on improving critical national infrastructure cybersecurity, its widespread adoption by other agencies, organizations and businesses enabled the CSF to make a greater positive impact than expected. While the framework was designed to be voluntary, President Donald Trump’s Executive Order 13800 in May 2017 directed all federal agencies to use it.
On April 16, 2018, NIST published a CSF update that impacts all cybersecurity capabilities, not just critical infrastructure. The CSF 1.1 is a living document; it will cause tertiary effects that impact federal, commercial and private cybersecurity organizations. Not only will the accreditation standards mandated by the Federal Information Security Modernization Act (FISMA) of 2002 and the Federal Risk and Authorization Management Program (FedRAMP) of 2012 change, but organizations will be required to follow more robust standards to demonstrate compliance.
This article will address significant changes to the CSF, underscore their effects and explain how agencies can adapt to the changes by conducting a self-assessment of risk, introducing new access control sub-categories, instituting a vulnerability disclosure lifecycle and identifying cyber supply chain risks.
Conducting a self-assessment
The updated framework requires organizations to conduct a self-assessment of their cybersecurity risk, measuring and assigning risk and identifying the costs and benefits of reducing risk to acceptable levels. The more accurately an agency can measure its cybersecurity risks, costs and benefits, the more rational, effective and valuable its cybersecurity approach and investments will be (CSF 1.1, 2018, p. 20). Organizations can either conduct an internal self-assessment or hire a third-party assessment organization to assist them.
Like threat vectors, cybersecurity performance measures continuously evolve. Federal and commercial organizations should develop ways to apply quantifiable measurements that are periodically revisited and recorded, to not only enhance but, more importantly, to improve their risk management (CSF 1.1, 2018, p. 20).
Organizations also should strategically refine their risk management process by identifying security controls impacted by CSF 1.1, employing an advisory service before FISMA or FedRAMP assessments and implementing fundamental security changes before annual RM activities. Additionally, organizations must actively mitigate enterprise concerns through over communication.
Authentication, authorization and identify proofing
By adding sections PR.AC-6 and PR.AC-7, NIST finally addressed significant vulnerabilities that had previously been dealt with by applying business best practices rather than by meeting requirements. Specifically, PR.AC6 requires that identities (user accounts) are bound and asserted in interactions, meaning that network interactions and activities now focus on non-repudiation. Additionally, PR.AC-7 requires that users, devices and other authenticated components fulfill authentication requirements commensurate with transaction and system risk, specifically alluding to multi-factor authentication.
Section RS.AN-5 requires organizations to address how they handle vulnerability disclosure -- a growing concern in the federal cybersecurity space. Although some organizations have already implemented bug bounty-style programs, such as the Department of Defense’s “Hack the Pentagon” initiatives, they are in the minority. Critics of NIST label this guidance as vague, saying it leads to improper application of the vulnerability disclosure lifecycle and also causes problems with analysis, remediation of findings and legal issues for security researchers.
Creating a constructive vulnerability disclosure lifecycle is critical. The best approach is to generate a standard disclosure framework with buy-in from security researchers who validate that internal and external vulnerabilities have been effectively analyzed. A less efficient option is using vulnerability escrows or crowdsourcing companies that pay researchers for client vulnerability disclosures and provide legal and security protections for their clients.
Identifying cyber supply chain risks
It is easy to overlook the growing attack surface, stemming from the myriad of computers, smart devices and software running in enterprises, businesses and agencies. Software and hardware have elaborate parts and use libraries of components for their development, lifecycle and implementation. Cyber supply chain risk management is an area of focus that only recently has come to light in many organizations; however, as threat vectors continue to change, the importance of SCRM will increase. Hidden backdoors, counterfeit equipment and unknown vulnerabilities are valid concerns in the cyber supply chain, all of which require proper risk analysis to mitigate. CSF 1.1 takes an excellent step by not only identifying supply chain risks but, more importantly, by highlighting organizational concerns and actions required to effectively reach cyber supply chain risk decisions.
Due to the ubiquitous nature of the internet and the evolution of computer crime, security practitioners must refine cybersecurity best practices and conduct ongoing risk management. More importantly, they must adopt and adapt to updates to the CSF to protect our critical national infrastructure and our shared, international cyber interests.