The U.S. government's standards-setting body released a draft cybersecurity framework last week — the second iteration of the influential document first published in 2014. The new version provides guidance to companies about how to discuss and consider cybersecurity risks, particularly at the senior executive level, to keep up with novel threats.
The framework's scope has expanded to explicitly cover cybersecurity for all organizations, not just those in critical infrastructure sectors such as banking. For organizations such as banks that voluntarily reference the framework in their cybersecurity practices already, many elements remain unchanged, and the framework mainly provides additional guidance for following established standards.
NIST has also added a sixth, cross-cutting imperative to the five core pillars it had in version 1.0 of the framework. Joining the five main pillars — recover, identify, respond, protect, and detect — is a new "govern" pillar.
Many banks have already started to integrate cybersecurity into key governance functions, such as risk management. In part this has been driven by the New York Department of Financial Services'
The NIST framework's new "govern" pillar calls on companies to "establish and monitor the cybersecurity risk management strategy, expectations, and policy," including by integrating cybersecurity risk into organizations' broader enterprise risk management.
While the framework does not prescribe to whom chief information security officers should report or whether chief risk officers should oversee cybersecurity, the new governance imperative "emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial and other risks as considerations for senior leadership," according to
The framework also calls for "the senior executive level" of organizations to discuss "how cybersecurity-related uncertainties might affect achieving the enterprise's mission and objectives." It also includes some more specific guidance checkboxes for corporations to ensure they check, such as integrating cybersecurity into human resources practices and standardizing methods for calculating cybersecurity risks.
Accompanying the new draft standard is
The new draft also includes guidance on how to adapt the framework to specific scenarios, also called profiles, to help corporations adapt the framework to specific cybersecurity threats. NIST maintains
An AI framework released by the National Institute of Standards and Technology this week is the government's advice on coping with pitfalls and making the software trustworthy.
The new draft of the framework and the
"Many commenters said that we should maintain and build on the key attributes of the CSF, including its flexible and voluntary nature," said NIST's Cherilyn Pascoe, the framework's lead developer. "At the same time, a lot of them requested more guidance on implementing the CSF and making sure it could address emerging cybersecurity issues, such as supply chain risks and the widespread threat of ransomware. Because these issues affect lots of organizations, including small businesses, we realized we had to up our game."
The framework constitutes a "forward-looking initiative" that recognizes the universal relevance of cybersecurity, according to Eduardo Azanza, CEO of digital identity company Veridas.
"NIST's addition of the 'govern' pillar to the cybersecurity framework reinforces the idea that cybersecurity should not just be a reactive procedure for organizations, but rather needs to be aligned with overarching business decisions on a daily basis," Azanza said.
The draft framework comes five years after NIST released version 1.1 of the framework and nine years after version 1.0. Previous changes NIST has made to the cybersecurity framework have highlighted important industry trends and often demonstrated foresight.
For example, a primary change NIST made between the 2014 and 2019 versions of its cybersecurity framework was the expansion of the section on supply chain risk management, specifically the subsection focused on organizations' relationships with technology suppliers and their communication with suppliers about their cybersecurity postures.
"A primary objective of cyber [supply chain risk management] is to identify, assess, and mitigate 'products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the cyber supply chain,'" read the 1.1 standard, which quoted
Cyberattacks against IT supply chains predated NIST's 2014 and 2018 recommendations on the matter. Notable examples
Since then, supply chain attacks have gained more attention from cybersecurity professionals and affected more organizations. The number of compromised entities with access to multiple organizations' data rose from 119 in 2017 to 1743 in 2022, according to
NIST will accept public comment on the draft framework until Nov. 4. The institute will also host a workshop in the fall to provide an opportunity for feedback and comments. Details are yet to be announced. The framework's developers will not release another draft of the framework before the final version comes out, which NIST expects in early 2024.
