Analyzing proposed updates to the NIST Cybersecurity Framework
CA submitted its comments to NIST’s recent updated draft.
A little over two years ago, the National Institute of Standards and Technology (NIST) released the Framework for Improving Critical Infrastructure Cybersecurity. The Cybersecurity Framework, as it’s commonly known, set out a flexible, technology-neutral, risk-based approach for owners and operators of critical infrastructure to establish and improve their cybersecurity programs. It enabled these, and other organizations to develop prioritized action plans to address their unique cybersecurity challenges, and it provided a range of best practices that they could leverage. These best practices were incorporated in the Framework Core.
Along with the release of the Framework in February 2014, NIST published a “Roadmap,” which outlined priority cybersecurity areas for further focus and development. Key topic areas in the Roadmap included authentication, conformity assessment, Federal Agency cybersecurity alignment, international aspects and alignment, and supply chain risk management, among others.
Earlier this year, NIST published an updated “Draft Version 1.1” of the Framework, which incorporated changes outlined in many of these Roadmap items. NIST based these changes on input received from stakeholders through workshops, outreach and requests for comment.
CA Technologies has been active participant in Framework stakeholder outreach forums, and has just submitted comments on the recent updated draft.
In our submission, we commend NIST for introducing new language to help organizations establish metrics and measurements to demonstrate cybersecurity progress through use of the Framework. However, we note that organizations should have flexibility in developing these metrics. We also offer our support for limited inclusion of supply chain risk management practices in the Framework core, given the key potential threat vector supply chains represent. We loudly applaud NIST’s work in promoting the Framework domestically and internationally, and call on NIST to continue developing Framework use cases for different sectors to enable greater adoption.
NIST also updated language in the section on “How to Use the Framework” discussing how organizations can apply the Framework in design, build/buy, deploy, operate and decommission system lifecycle phases. CA supports this updated language and encourages NIST to go further in creating Framework use cases for development processes. In particular, we recommend that NIST highlight the importance of secure software development process, including the use of education, threat modeling, architectural risk assessment, and code scanning and analysis.
The bulk of our submission focuses on updates NIST made to the Identity Management and Access Control category of the Framework Core. We were very pleased to see NIST utilize more specific language around the issuing, managing, revoking and auditing of identities and credentials. This update more accurately reflects current best practice cybersecurity activities in the access management space.
CA is encouraging NIST to go further in promoting key identity-centric security practices in either the final version 1.1 of the updated Framework, or in an updated Roadmap. Specifically, we would like NIST to incorporate the use of authentication in the Framework Core, including the use of both multi-factor and risk-factor authentication, as appropriate. Further, CA noted that NIST should consider adding language around the importance of device authentication, given the increased reliance on automated systems in the provision of critical infrastructure services. And, we recommended NIST highlight the importance of privileged access management as a key component in an overall identity and access management program.
The Cybersecurity Framework represents the global, gold standard for cross-sector critical infrastructure cybersecurity guidance. It enables organizations to align cybersecurity priorities in a way that addresses their unique threats, assets and resources. A reported 30 percent of organizations had adopted the Framework as of 2016, and a projected 50 percent will have adopted it by 2020. We applaud NIST for Draft Version 1.1. These updates, augmented with a stronger focus on identity-centric security best practices, can truly move the needle on enhancing global cybersecurity.