Analyzing proposed updates to the NIST Cybersecurity Framework

CA submitted its comments to NIST’s recent updated draft.

A little over two years ago, the National Institute of Standards and Technology (NIST) released the Framework for Improving Critical Infrastructure Cybersecurity.  The Cybersecurity Framework, as it’s commonly known, set out a flexible, technology-neutral, risk-based approach for owners and operators of critical infrastructure to establish and improve their cybersecurity programs. It enabled these, and other organizations to develop prioritized action plans to address their unique cybersecurity challenges, and it provided a range of best practices that they could leverage. These best practices were incorporated in the Framework Core.

Along with the release of the Framework in February 2014, NIST published a “Roadmap,” which outlined priority cybersecurity areas for further focus and development. Key topic areas in the Roadmap included authentication, conformity assessment, Federal Agency cybersecurity alignment, international aspects and alignment, and supply chain risk management, among others.

Earlier this year, NIST published an updated “Draft Version 1.1” of the Framework, which incorporated changes outlined in many of these Roadmap items. NIST based these changes on input received from stakeholders through workshops, outreach and requests for comment.

CA Technologies has been active participant in Framework stakeholder outreach forums, and has just submitted comments on the recent updated draft.

In our submission, we commend NIST for introducing new language to help organizations establish metrics and measurements to demonstrate cybersecurity progress through use of the Framework.  However, we note that organizations should have flexibility in developing these metrics. We also offer our support for limited inclusion of supply chain risk management practices in the Framework core, given the key potential threat vector supply chains represent. We loudly applaud NIST’s work in promoting the Framework domestically and internationally, and call on NIST to continue developing Framework use cases for different sectors to enable greater adoption.

NIST also updated language in the section on “How to Use the Framework” discussing how organizations can apply the Framework in design, build/buy, deploy, operate and decommission system lifecycle phases. CA supports this updated language and encourages NIST to go further in creating Framework use cases for development processes.  In particular, we recommend that NIST highlight the importance of secure software development process, including the use of education, threat modeling, architectural risk assessment, and code scanning and analysis.

The bulk of our submission focuses on updates NIST made to the Identity Management and Access Control category of the Framework Core. We were very pleased to see NIST utilize more specific language around the issuing, managing, revoking and auditing of identities and credentials. This update more accurately reflects current best practice cybersecurity activities in the access management space.

CA is encouraging NIST to go further in promoting key identity-centric security practices in either the final version 1.1 of the updated Framework, or in an updated Roadmap.  Specifically, we would like NIST to incorporate the use of authentication in the Framework Core, including the use of both multi-factor and risk-factor authentication, as appropriate. Further, CA noted that NIST should consider adding language around the importance of device authentication, given the increased reliance on automated systems in the provision of critical infrastructure services. And, we recommended NIST highlight the importance of privileged access management as a key component in an overall identity and access management program.

The Cybersecurity Framework represents the global, gold standard for cross-sector critical infrastructure cybersecurity guidance. It enables organizations to align cybersecurity priorities in a way that addresses their unique threats, assets and resources. A reported 30 percent of organizations had adopted the Framework as of 2016, and a projected 50 percent will have adopted it by 2020. We applaud NIST for Draft Version 1.1.  These updates, augmented with a stronger focus on identity-centric security best practices, can truly move the needle on enhancing global cybersecurity.


As director of global government relations for CA Technologies, Jamie manages cyber security and Internet…

Comments

  • Mike Wilson

    I’m also very excited about the long overdue changes to best practices for password management. It has been clear for quite some time that requiring users to use arbitrary mixtures of letters, numbers and symbols and change passwords at more frequent intervals was actually counterproductive and resulting in less secure practices. Adding in the requirement to check passwords against lists of dictionary and compromised passwords is an excellent augmentation as well. At PasswordPing, we provide our customers with easy to implement ways for screening out compromised passwords and blocking compromised login credentials, so we’ve been preaching these things for quite some time. It’s great to see them finally get some backing at this level.

rewrite

Insights from the app driven world
Subscribe Now >
RECOMMENDED
The Sociology of Software >How (Not) to Lie with Data Visualization >DevOps and Cloud Computing: Exploiting the Synergy for Business Advantage >