NIST seeks information on updating its Cybersecurity Framework

Security community welcomes the update, but a U.S. GAO report cites slow adoption among government.

An engineer reviews strategy framework data.
Metamorworks / Getty Images

As it begins planning to revise its widely praised Cybersecurity Framework (CSF), the National Institute of Standards and Technology (NIST) has requested that interested parties supply comments on how NIST can improve the effectiveness of the CSF and its alignment with other cybersecurity resources. NIST’s last update of the framework, first released in 2014 under an executive order issued by President Obama, was in 2018.

“There is no single issue driving this change,” NIST Chief Cybersecurity Advisor Kevin Stine said in a statement. “This is a planned update to keep the CSF current and ensure that it is aligned with other tools that are commonly used.”

NIST raises a host of questions

In its published request for information, NIST raises a host of “non-exhaustive” questions that it hopes will move the ball forward in making the framework more applicable to a broader range of users while incorporating improvements, including a greater focus on supply-chain-related cybersecurity needs. Specifically, NIST asks a series of questions about how to improve the use of the framework, including whether the framework allows for better risk assessments and management of risks, what relevant metrics might be used to measure the impact of the framework and what challenges organizations face in using the framework, among other questions.

NIST also asks for suggestions on improving alignment or integration of the Cybersecurity Framework with other NIST risk management resources such as the NIST Risk Management Framework, the NIST Privacy Framework, and Integrating Cybersecurity and Enterprise Risk Management (NISTIR 8286). NIST further asks for ways to improve alignment or integration of the NIST framework with other non-NIST frameworks, such as international approaches like the ISO/IEC 27000- series, including ISO/IEC TS 27110.

Regarding supply chains, NIST is requesting information to help identify supply-chain-related cybersecurity needs and harmonize the National Initiative for Improving Cybersecurity in Supply Chains (NIICS), a public-private nonprofit founded by NIST, with the CSF. Moreover, NIST asks whether it needs to create a dedicated framework addressing cybersecurity supply chain risk management or if this should be addressed through more effective treatment of supply chain risk in the CSF.

CSF update is sensible and timely

Reaction from cybersecurity specialists to the update is generally favorable. Lisa Plaggemier, interim executive director of the National Cybersecurity Alliance (NCA), says that the push to create frameworks, best practices, and supporting guidance and tweaking them on a more ongoing basis has gained momentum in the wake of recent increased cyber threats. “This announcement from NIST and the collaborative approach it seems to be taking is not only unsurprising but is also very sensible as we continue to work to refine and modernize our cybersecurity operations,” Plaggemier tells CSO.

Dr. Joerg Borchert, president and chair of the Trusted Computing Group, says a CSF revamp is now due. “As the early framework was created in 2014, a revamp is timely,” he tells CSO. “The overhaul provides a chance to update the CSF to the threat vectors and new challenges.”

Borchert says the CSF is already a leading framework in the international community. “When it really comes down to it, there are only a few frameworks for cybersecurity that are commonly accepted as best practices,” he says, noting that the other leading frameworks on par with the CSF in the international community include ISO 27001/27002, NIST SP 800-53, Secure Controls Framework (SCF) and the payment standard PCI DSS.

Secure Code Warrior's CTO and co-founder, Dr. Matias Madou, agrees that NIST is already a front-runner on the international scene regarding cybersecurity frameworks, particularly in the area of secure software development. “I do hope a lot of organizations and countries are looking at this roadmap they’re laying out and will follow suit. U.S. companies have led the way in securing software and validating the software.”

Brian Behlendorf, general manager of the Open Source Security Foundation, says that NIST’s plan to tackle supply chain issues dovetails with his hope that a consistent way emerges for software developers to choose the building blocks in their software. “What we have not done is build a metrics-driven, data-driven approach to helping developers make decisions,” Behlendorf tells CSO. “If NIST can be helpful in driving industry toward a set of common standards and data formats and terminology around all of this, I think that would be helpful in moving things forward.”

GAO hopes the update will fix agency adoption problems

Dave Hinchman, acting director in the Government Accountability Office’s (GAO) Information Technology and Cybersecurity team and author of a recent GAO report on how government agencies have adopted the NIST Framework, hopes the NIST update process will address issues that have thwarted agency adoption of the CSF. The GAO’s most recent report issued earlier this month is the final of four statutorily mandated studies. It found that only three of the federal government’s 16 critical infrastructure sector risk management agencies (SRMAs) have implemented the CSF after eight years of being urged to do so.

“When you see some of the things we found, it's not a great picture,” Hinchman tells CSO. “Only three agencies have determined how they're going to adopt the framework. Four have finally started some effort, but the [remaining] sectors haven't done anything. We have had a pretty good discussion of a lot of the challenges that agencies are citing in why they're not making better progress.”

Voluntary nature, lack of metrics slow framework adoption

The most significant barrier to agency adoption of the framework is that it’s voluntary, Hinchman says, which NIST does not have the authority to change. Another big problem that Hinchman cites is the lack of metrics, a topic that NIST raises in its request for information. As auditors, the GAO likes “hard things,” he says. “What are the specific targets that we're doing? That’s maybe something to consider, whether there's a way to build in some metrics. I think that could help drive adoption because it's a way that there's a measurable outcome or a measurable target that you can track against.” Hinchman notes that NIST had already made some progress on the metrics front even before issuing its information request.

Yet another limitation holding back the adoption of the framework is a lack of tangible implementation guidance, Hinchman says. “I think that maybe it is time to sit down, revisit this and look at what it is that we can do to make this more palatable so that we get better adoption,” particularly given the voluntary nature of the CSF.

“I've been performance auditing the government now for almost 20 years, and when you've got big disconnects like what we're seeing here, with what everyone says is this great framework that's in place, but terrible adoption eight years on, there's something that's not clicking,” Hinchman says.

He praises NIST’s decision to update the framework, hoping that NIST takes what the GAO has discovered to heart. “The NIST and DHS programs got mixed reviews at best from agencies. You have to acknowledge agencies’ complaints about those programs and admit that more needs to be done. This request for information is a great first step.” But, “at the end of the day, agencies are really just struggling to get adoption in place.”

NIST did not respond to multiple requests for comment on the GAO report and Hinchman’s remarks.

Copyright © 2022 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022