Last month the National Institute of Standards Technology (NIST) released the first revision to their “Framework for Improving Critical Infrastructure Cybersecurity”, which was first issued in 2014. The new version, 1.1, provides for flexible ways to address cybersecurity within an organization, taking into account various dimensions including physical, cyber and people.
The framework can be leveraged to articulate a high-level view of a company’s cyber risk strategy and to meet many privacy and regulatory needs, including the pending General Data Protection Regulation (GDPR) which is to go into effect later this month across the EU/UK. The framework is not a “one size fits all” approach, rather it is tailored to a firm’s operating environment, digital footprint and key cyber risks. The framework assists firms in determining activities that are critical to their product and service offerings, allowing for prioritization and optimization of funds spent on controls, with an iterative approach for assessing and managing cybersecurity risk.
There are three key revisions to the framework. The first a new category covering cyber supply chain risk management (SCRM) activities relating to external parties to identify, assess, agree and mitigate interactions that may impact the cyber resilience of a firm. This includes risk assessments for third parties and embeds in contracts the appropriate measures to meet the objectives of a firm’s cybersecurity program. Third parties should also comply with periodic audits to evidence that they are meeting their contractual obligations. Relevant parties in the supply chain should also be included in a firm’s testing of their response and recovery plans.
The second addition to the framework is the concept of self-assessments, covering how the framework can be used to help organizations understand and assess their cybersecurity risk. This approach stresses the linkage between the risks, costs and benefits and is useful in defining the target operating model. The gaps between the current and target state inform the investment priorities. The assessments can be run internally or with the help of a third party and used to evidence, internally and externally, how well a firm is implementing their cyber controls, policies and procedures to identify, protect, detect, respond and recover from a cyber-event. The last key update to the framework is the broadening of the “Access Control” category to include identity management and authentication.
The framework was revised so that it extends the initial approach and does not require firms to start from scratch. A good place to start adapting to the revisions is with enhancing the current and target risk and maturity assessments for the additions to identify any new gaps, relevant risks, costs and benefits. All of which should then be reviewed at the governance level to ensure overall enterprise resilience and/or reprioritization of spend on mitigating controls. The companion NIST Roadmap for Improving Critical Infrastructure Version 1.1, covering the key areas of development, alignment and collaboration, is drafted and should be issued later this year.