NIST Seeks Comments on Cybersecurity Framework Draft

Andrew Retrum, Managing Director Security and Privacy
Randy Armknecht, Managing Director Emerging Technology Solutions

Last month, the National Institute of Standards and Technology (NIST) published a discussion draft of revisions to the NIST Cybersecurity Framework (CSF Version 1.1). The draft, though still subject to change, provides new details on NIST’s recommendations for cyber supply chain risk management (SCRM), clarifies key terms, and introduces cybersecurity measurement metrics. Although this is a voluntary framework, the Financial Industry Regulatory Authority (FINRA) and others require organizations under their jurisdiction to adopt and declare a framework, and the NIST CSF is one of the most commonly used.

Here are some of the highlights from the NIST draft:

  • The NIST CSF, which currently has 22 control categories, will add another one, SCRM, in the identity domain, and eight subcategories — five for SCRM, and three in the “Protect” category. In addition, five existing controls have been clarified.
  • SCRM is now a critical consideration in the NIST CSF, in recognition of the fact that many organizations are outsourcing key business processes to, or sharing sensitive data with, third parties. The federal Office of the Comptroller of the Currency and other agencies have drafted regulations, titled Enhanced Cyber Risk Management Standards, addressing this “external dependency management.”
  • A new section, Section 4, has been added. Called “Measuring and Demonstrating Cybersecurity,” the new section contains suggestions on how to measure and demonstrate the efficacy of cybersecurity. The framework recommends a close relationship between cybersecurity and business objectives. Metrics are separated into four categories: practices, process, management and technical. Measurements should align with business objectives and should demonstrate a cause-and-effect relationship. NIST recommends that organizations should tailor the measures and metrics to their own level of maturity. The new Section 4 does not, however, offer concrete examples of what specific cybersecurity metrics should be included in a control dashboard.

We think these revisions will help the NIST CSF align more closely with regulatory and industry priorities, such as identity and access management, SCRM vendor risk management, metrics and cybersecurity threat intelligence. Considering these are the same areas that often come up as areas of concern for Protiviti during field engagements, we think the changes are necessary and appropriate.

Click here for our flash report on this topic.

Add comment