Organizations are facing a “triple threat” when it comes to cybersecurity. Growing numbers of vulnerabilities and increasingly sophisticated attacks have made cybersecurity breaches virtually inevitable. However, many organizations lack the skilled personnel needed to combat these attacks, and open positions for security specialists tend to go unfilled due to the limited number of professionals in the marketplace. As a result, organizations can be forced to struggle along with the resources they have, approaching security in a piecemeal manner.
Organizations need a practical strategy for mitigating risks and responding to security incidents. An effective starting point for developing such a strategy is the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which is being updated to reflect current needs and trends.
Directed by presidential executive order (EO) and developed through a collaborative process involving government, industry, and academia, the NIST “Framework for Improving Critical Infrastructure Cybersecurity” was published in February 2014. Though adoption of the Cybersecurity Framework is voluntary, Gartner has estimated that 30 percent of U.S. organizations were using it as of 2015, with usage expected to reach 50 percent by 2020.
The goal of the framework is to provide a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to managing cybersecurity risk in the nation’s critical infrastructure. The EO defined critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
The framework provides a comprehensive yet flexible set of principles and practices to help organizations assess their current cybersecurity posture and identify, plan, and implement improvements. Establishing the right organizational culture is a core tenet of the Cybersecurity Framework. It recognizes that cybersecurity requires a holistic, collaborative approach and provides a common language that enables business executives, IT professionals, and other stakeholders to discuss strategies and tactics.
In January, NIST issued a draft update to the framework, incorporating feedback received since the release of version 1.0 and further developing guidance on reducing cybersecurity risks. The product of an 18-month development process, version 1.1 clarifies key terms and introduces methods for measuring cybersecurity.
It also provides tools to help organizations apply the framework to cyber supply chain risk management, including a vocabulary that enables organizations working together on a project to clearly understand cybersecurity needs. Examples of cyber supply chain risk management include a small business selecting a cloud service provider or a federal agency contracting with a system integrator to build data center infrastructure.
The draft update renames the “Access Control” category as “Identity Management and Access Control” to reflect the importance of managing identities and credentials across their lifecycles. It also clarifies and expands the definitions of the terms “authentication” and “authorization” and defines the related concept of “identity proofing.”
The NIST Cybersecurity Framework won’t reduce the number of security threats or resolve the skills shortage in the cybersecurity field. However, it does provide organizations with a practical guide for ensuring that all the bases are covered. We’ll be following the development of version 1.1 and will provide an analysis of the changes that are included in the final document, which is expected to be released next fall.
For more information on the NIST Cybersecurity Framework, please send us an email at (firstname.lastname@example.org).