NIST CSF 2.0 Workshop emphasizes global appeal, metrics and assessment

The U.S. National Institute of Standards and Technology (NIST) hosted its first workshop yesterday on the Cybersecurity Framework (CSF) 2.0, an update to the CSF 1.1 released in 2018, which was itself an update to the original CSF released in 2014. Many cybersecurity professionals, and some NIST experts, consider the framework to be the “Rosetta stone” for managing all organizations’ cybersecurity risks.

Heading into the workshop, NIST issued a request for information, asking commenters to answer questions about bringing the CSF up-to-speed on some emerging developments that were only partially covered in the first two versions or not referenced at all. Comments submitted to NIST reflected a wide range of considerations, encouraging NIST to make several improvements including a greater emphasis on measurements and metrics related to the CSF, beefing up supply chain security sections, and offering more implementation guidance on how to adopt the framework. Overall, commenters praised the effort as valid and valuable.

This first workshop on CFS 2.0, which was held virtually and attended by 7,000 global participants, dealt with six topics: a general discussion of what CSF 2.0 should look like, lessons learned from the development of profiles that are part of the framework, international use of the framework and its alignment with non-U.S. standards, governance matters, measurement and assessment, and supply chain considerations.

The CSF has endured

Over the last nine years since the release of CSF 1.0, “We’ve seen three presidential administrations, advancements in artificial intelligence and other technologies. We’ve demonstrated resilience against a global pandemic, and Beyonce has blessed us with three studio albums,” Cheri Pascoe, senior technology policy advisor at NIST said in kicking off the workshop. “And yet with all that has changed, the CSF has endured.”

“We at NIST have been thrilled with the impact the framework has had on cybersecurity and the role that it has played,” Laurie E. Locascio, NIST’s undersecretary of commerce for standards and technology, said. “It has truly become foundational for assessing an organization’s cybersecurity risks, its status, and its needs. The framework is being used across sectors and discussed in both the server room and the board room.”

“The original NIST framework was as much about reframing doctrine as it was about collecting and organizing the details of contemporary practice,” said Chris Inglis, national cyber director in the Executive Office of the President. “The original doctrine introduced the premise that we can and must determine a system’s intended use, its essential characteristics, upfront so that we might be better able to deliver and sustain those characteristics. The initiative that we’re kicking off today builds on those best practices while shoring up the collective efforts that will sustain and power them into the future.”

“There are two cyber futures available to us,” Inglis said. “The first might be summed up in one word, which is ‘good.’ The second might be summed up in two words as ‘not good.’ The choice between those two is just that, a choice. We can choose to make the investments necessary to deliver cyberspace, the digital infrastructure, the internet of everything, that delivers on our aspirations, that delivers the resilience in the activities, the characteristics that will give the confidence that those aspirations will be well met.”

The day-long workshop focused on various complex and high-profile topics raised in the RFI. Two panels, particularly international issues and measurements, arguably warrant a little more attention because they have captured little attention compared to the more well-trod topics such as supply chain security.

International community has embraced the CSF

The global popularity of the CSF is demonstrated by its translation into nine languages to date and a rising level of international interest in how the framework might help. Leonard Hause of the new Bureau of Cyberspace at the State Department, who has also worked with the department’s cyber coordinator office, said, “We’ve traveled the world, and the cybersecurity framework has been extremely popular in a lot of our engagements internationally.”

Kerry-Ann Barrett, cybersecurity program manager for two secretariats at the Organization of American States, said that the CSF is traveling across Latin America and the Caribbean. “We’ve been encouraging our member states as a part of their national cybersecurity strategy to think about a government-wide cybersecurity framework that could actually support the implementation of standards identification as they do their curriculum and infrastructure protection plans.”

Wen Kwan, senior director, ICT Resilience, Innovation, Security and Economic Development for the Government of Canada, said the common language the CSF provides has helped his country delineate risk threats and vulnerabilities. “It has been a great reference for us, and we also think that it is going in the right direction. We have heard lots of positive feedback from Canadian small companies, especially. People have been able to increase their cybersecurity posture because of the cybersecurity framework.”

Laura Lindsay, cybersecurity standards strategist, Microsoft, has helped to raise the international adoption of the concepts inherent in the CSF, such as categories, tiers, and profiles. “We have had great luck in doing that in ISO [the International Organization for Standardization],” she said. “So, I’m able, when people are starting to talk about new cybersecurity standards, to point them back to the framework and say, ‘Hey, have you looked at that?'”

Measurement and assessment

Using the NIST CSF to measure and assess cybersecurity has been much discussed and debated. Khalid Hasan, senior manager for information technology audits, Office of Inspector General for the Board of Governors of the Federal Reserve Board and the Consumer Financial Protection Bureau, said that his groups are using the CSF to gauge the effectiveness of an agency’s information security program because it provides common talking points to which people can refer. “It’s a good way to provide maturity or effectiveness at a program level, but then really map it to individual controls,” he said.

Kelly Hood, executive vice president and cybersecurity engineer, Optic Cyber Solutions, said her group uses the CSF “to define our cybersecurity capabilities. We have a profile to help us define what we do and then measure our effectiveness.”

Alicia Clay Jones, manager, policy and performance, Entergy Services, said her group uses the CSF to measure its security program. “We look at the comprehensive list of the categories and the security objectives and say, ‘How well are we doing across those’? We look at measuring our environments, or we look at the security posture or the maturity of our different business environments. We then use it for strategic and tactical planning.”

Reactions to the CSF workshop

Based on feedback in the Slack channel NIST established to handle comments and questions during the workshop, most attendees found this first round of discussion about creating the CSF 2.0 informative and helpful. Russell Eubanks, who participated in the development of the CSF 1.0 on behalf of Cox Communications and now heads his own firm, Security Ever After, waxes nostalgic about NIST’s first round of workshops in creating CSF 1.0 but says he thinks NIST’s virtual workshop on 2.0 was on par with those. “Their method at bringing everyone in and giving them an opportunity to voice their views. I think that’s incredible,” he tells CSO.

Jay Gallman, risk and compliance IT analyst at Duke University, tells CSO, “I think it was good from the standpoint that it’s helpful to see what others are grappling with. And to that extent, I actually like a virtual workshop better because I think with something like the Slack channel, you have the ability to hear a lot more about what others are dealing with, and what others are asking questions about.”

Some attendees suggested room for improvement, particularly when providing more clear-cut implementation guidance to flesh out the steps organizations can take when adopting the framework. “As Tony Sager [chief evangelist for the Center of Internet Security] said, we don’t suffer from a lack of a list of good things to do,” Eubanks says, adding that NIST could help narrow the challenge by offering more practical guidance.

Even though NIST representatives pointed to resources during the workshop they have posted to the web that they claim offer the kind of guidance Eubanks and others seek, Eubanks says, “Maybe it’s the best-kept secret.”

Gallman says, “There is a wealth of information out there and much of it online and much of it freely accessible. The problem is it’s not well coordinated. So, you have to know somebody who knows something to know where something is.”

Jeff Sauntry, founder and CEO of Risk Neutral, a company that helps board members understand their cybersecurity risks and financial impact, tells CSO NIST’s “model is what you should do, but not how to do it. And I think that’s what the CSF should be.” But NIST should “reference more prescriptive things that could help the community really kind of put it into practice. So, if I’ve convinced the C-suite and the board, we should do this, help me figure out how I go and make it happen in the real world.”