SecureWorld News

Security Experts Assess 2.0 Draft of NIST Cybersecurity Framework

Written by Cam Sivesind | Wed | Aug 23, 2023 | 7:37 PM Z

On August 8, 2023, the U.S. National Institute of Standards and Technology (NIST) released the Initial Public Draft of its Cybersecurity Framework (CSF) version 2.0.

For a solid rundown of what the updates mean, check out this SecureWorld article from Kip Boyle, vCISO, Cyber Risk Opportunities LLC. Boyle is teaching PLUS Courses on the NIST CSF at all six in-person regional SecureWorld conferences this fall, including Denver on Sept. 19, Detroit on Sept. 28, St. Louis on Oct. 19, Dallas on Oct. 26, Seattle on Nov. 8-9, and New York City on Nov. 15.

According to NIST, feedback on the CSF 2.0 Public Draft, as well as the related Implementation Examples draft, may be submitted to cyberframework@nist.gov by Friday, November 4, 2023.

We reached out to several SecureWorld friendlies who are industry thought leaders, practitioners and vendor representatives, for comment.

Michael Gregg, CISO, State of North Dakota:

"One of the things that most excites me about the new framework is the addition of the 'govern' function. While it has implicitly been there in earlier iterations, version 2 breaks it out into its own area. I am also glad to see the CSF increase its scope to better support all sectors of our economy."

Gregg is keynoting at SecureWorld Denver on Sept. 19 and at SecureWorld Dallas on Oct. 26 on "Lessons from a CISO: Increasing Your Cybersecurity Footprint Despite Worn Soles."

Stacy O'Mara, Sr. Leader, Government Strategy, Policy, & Partnerships, Mandiant, now part of Google Cloud:

"Mandiant is pleased to see the draft version of NIST's CSF 2.0, particularly the greater emphasis on governance and cybersecurity risk management and the implementation examples provided at the subcategory level. 

The addition of the 'Govern' function covers organizational context and conceptually will help organizations think through their overall cybersecurity risk posture as part of its general enterprise risk assessments. This top-down approach will help entities think through roles and responsibilities, policies and processes, and oversight for identifying and managing cyber threats and mitigating and responding to incidents—all of which should be occurring throughout an entire organization, not just within the office of the CIO or CISO. Understanding your risk posture and having a playbook ready to deploy once a breach occurs is crucial to reducing the impact of an incident, getting your operations back online, etc.

The addition of the 'implementation examples' are an extremely useful tool for organizations to actually implement the security controls they choose. This is a great acknowledgement by NIST and the cybersecurity community that one, there are variances in maturity across sectors, organizations, businesses, etc. for how to implement controls; and two, that having controls in place are useless if they're not accompanied by action plans. These notional examples of action-oriented processes to meet the objectives of the subcategories provide greater context for IT and cybersecurity professionals who actually are responsible for implementing the controls. The same can be said of NIST's decision to revise the Framework Profiles and notional templates, making it easier for users to choose their own Profiles based on individual risk assessments and to develop action plans. 

It's great to see the amount of effort NIST has put into soliciting and incorporating feedback from industry and the cybersecurity community writ large for a framework that has served as the foundation for cybersecurity practices in the U.S. and all over the world. We look forward to providing additional feedback to NIST this fall, alongside our Google colleagues, on important pieces of the Framework such as building incident planning, response, and recovery policies and protocols; conducting risk assessments, vulnerability management, and incorporation of threat intelligence; and security testing/exercises and crisis contingency planning."

Nader Zaveri – Sr. Remediation and Incident Response Manager at  Mandiant will speak on "Special Delivery! Defending and Investigating Advanced Intrusions on Secure Email Gateways" at SecureWorld Dallas on Oct. 26; and Tim Gallo, Americas Mandiant Principal Architect, is joining a panel on "Navigating the Cybersecurity Symphony in the Age of AI" at SecureWorld Seattle on  Nov. 8 (day 1 of the 2-day conference). 

Gina Yacone, VP, ISSA Denver Chapter; Information Security Lead, TRACE3 Mountain State Region:

Related to paragraph 13 on guidance: "Users of the NIST CSF have long sought clarity on its implementation, underscoring the significance of conferences like SecureWorld. With the release of the NIST CSF 2.0 Public Draft, SecureWorld's courses, led by Kip Boyle, offer practitioners an unparalleled opportunity to understand and harness the framework effectively. Such guidance is invaluable to learn with your peers, and I often wish it had been available during my initial journey into cybersecurity."

Related to paragraph 9: "I applauded the community that drove and shaped the latest NIST CSF 2.0. However, given the rapid evolution of cybersecurity, I urge NIST and similar frameworks to adopt more frequent feedback mechanisms. These prescriptive frameworks require practitioners to review their policies annually, but the frameworks we are guided by do not undergo regular updates and many times are outdated by technology advancements."

Yacone is speaking on "API Security: A CISO Perspective" at SecureWorld Denver on Sept. 19.

Helmut Semmelmayer, VP, Revenue Operations, tenfold Software:

"Although it was first created with critical infrastructure in mind, the Cybersecurity Framework's greatest success is its widespread adoption as a voluntary standard used across different industries. For many organizations, the CSF serves as an approachable entry point for planning, testing and improving cybersecurity outcomes. To this end, we welcome the steps taken in CSF 2.0 to provide greater clarity and additional implementation guidance.

The CSF is not a one-size-fits-all solution and still expects organizations to tailor recommended controls to their own needs and circumstances. However, offering clear and specific guidance enables organizations to more easily choose appropriate safety measures. The implementation examples and reference tool added by CSF 2.0 are a significant improvement to the framework's usability, which could be further expanded through recommended baselines or testable criteria for assessing effective implementation."

Additional resources from tenfold:
•  Guide to the original Cybersecurity Framework
•  Side-by-side comparison of the NIST standards 800-53 and 171

Semmelmayer is presenting "Behind the Scenes of Teams and OneDrive: The Secret Life of Shared Files" at SecureWorld Denver on Sept. 19.

Josh Lemon, Director of Managed Detection and Response, Uptycs:

"Organizations have always experienced challenges for managing risk and meeting compliance regulations, as their traditional security solutions and approaches are often ineffective, particularly for complex cloud environments. I hear firsthand from security practitioners every day that meeting and maintaining compliance requirements are the two most commonly cited challenges for organizations with cloud-native applications. The new NIST framework takes those challenges into account, but as always, it comes down to the humans to adhere to these guiding principles.

The new NIST framework does a better job of trying to provide some better standards that are suitable to organizations of all sizes, rather than just large enterprises. It will also be good to see the application examples that are yet to be published with the updated version."

Uptycs offers up its latest threat research.

Uptycs is part of two sessions at SecureWorld Denver on Sept. 19 with Julian Wayte, Sales Engineering Manager, joining a panel on cloud security, then following up with a session on "How (And Why) to Create Your Cloud Security Early Warning System."

John Bambenek, Principal Threat Hunter, Netenrich:

"One of the perennial problems in cybersecurity is how to quantitatively talk about security to leadership and the board. Expanding these frameworks to all organizations and not just critical infrastructure open the door to being able to do so in a consistent way across the economy and hopefully will lead to more buy-in of using security to reduce business risk."

Timothy Morris, Chief Security Advisor, Tanium:

"It is good to see these updates and the expansion of the framework beyond critical infrastructures (banks, energy, healthcare, etc.) to all business and industry types regardless of size. Frameworks, standards, and guidelines lay the foundations of a common language and methodologies that help cross-functional organizations work together. It is also beneficial for communication between technical and non-technical teams.

The addition of the Govern section is something that was already going on in larger organizations. Think, GRC - Governance, Risk, & Compliance. Since that is such a large umbrella and an essential part of any cybersecurity program, I'm glad to see it called out specifically in the framework."

Joseph Carson, Chief Security Scientist and Advisory CISO, Delinea:

"The latest update to the Cybersecurity Framework from NIST is an excellent refresh of one of the best cybersecurity risk frameworks. It's great to see the framework moving on from simply a focus of critical infrastructure organizations and adapting to cybersecurity threats by providing guidance to all sectors. This includes the new 'Govern' pillar acknowledging the changes in the way organizations now respond to threats to support their overall cybersecurity strategy."

Bud Broomhead, CEO at Viakoo:

"The addition of a sixth function for 'GOVERN' is a clear message to organizations that to be successful there also must be actively managed policies and processes underpinning the other functional areas. For example, governance should include ensuring that all systems are visible and operational, and that there is are enterprise-level security processes and policies in place.

By expanding the scope of the NIST framework to all forms of organizations (not just critical infrastructure) is an acknowledgment of how every organization faces cyber threats and needs to have a plan in place for managing cyber hygiene and incident response. This is already the case with cyber insurance, and NIST's recent update will help organizations not just reduce their threat landscape but also be better positioned for compliance, audit, and insurance requirements on cybersecurity.

NIST's update should also push more organizations to work with managed service providers on their cyber hygiene and cybersecurity governance; as NIST expands their scope to include smaller organizations many of them will find that a managed service provider is the best way to make their organization compliant to the NIST Cybersecurity Framework v2.0."

We will add additional comments here as we receive them.