NIST Framework for Critical Infrastructure Cybersecurity

Four years after the initial iteration was released, the National Institute of Standards and Technology (NIST) released version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity. The framework was initially developed to be a voluntary, risk-based framework to improve cybersecurity for critical infrastructure in the United States. It’s the result of an Executive Order 13636 issued by President Obama calling for the development of a set of standards, guidelines and practices to help organizations charged with providing the nation’s financial, energy, health care and other critical systems better protect their information and physical assets from cyber attack. Like the first version, Version 1.1 of the framework was created through public-private collaboration via a series of recommendations, drafts and comment periods. Changes to Version 1.1 include updates on authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain and vulnerability disclosure, among others.

Review of changes

For one, the update has renamed the Access Control Category to Identity Management and Access Control to better account for authentication, authorization and identity-proofing. It also has added a new section named "Section 4.0 Self-Assessing Cybersecurity Risk with the Framework" that explains how the framework can be used by organizations to understand and assess their cybersecurity risk, including the use of measurements.

“The development of cybersecurity performance metrics is evolving. Organizations should be thoughtful, creative, and careful about the ways in which they employ measurements to optimize use, while avoiding reliance on artificial indicators of current state and progress in improving cybersecurity risk management. Judging cyber risk requires discipline and should be revisited periodically,” the document reads.

On the supply-chain front, an expanded Section 3.3 helps users better understand risk management in this arena, while a new section (3.4) focuses on buying decisions and the use of the framework in understanding risk associated with commercial off-the-shelf products and services. The framework highlights the "crucial role of cyber supply-chain risk management in addressing cybersecurity risk in critical infrastructure and the broader digital economy." Additional risk-management criteria were added to the Implementation Tiers for the framework, and a supply-chain risk-management category has been added to the Framework Core. Other updates include a better explanation of the relationship between Implementation Tiers and Profiles; added clarity around the term “compliance,” given the variety of ways in which the framework can be used by an organization; and the addition of a subcategory related to the vulnerability disclosure lifecycle.

Discussion and Considerations

On the executive summary of the framework, it is stated that:

“While this document was developed to improve cybersecurity risk management in critical infrastructure, the Framework can be used by organizations in any sector or community. The Framework enables organizations – regardless of size, degree of cybersecurity risk, or cybersecurity sophistication – to apply the principles and best practices of risk management to improving security and resilience.”

Therefore, its goal is to be flexible enough to be adopted voluntarily by large and small companies and organizations across all industry sectors as well as by federal, state and local governments. It is also worth noting that the framework covers people, process and technology. It is not just about technology and process. So far, adoption of the framework has been fairly widespread. Only 30 percent of U.S. organizations used the framework in 2015, but that figure is expected to rise to 50 percent by 2020, according to Gartner. Like nearly all data security standards, the impact of the NIST Cybersecurity Framework has been influential rather than mandatory. While cyber professionals are often directed to such standards and framework documents as tools to help build a protective architecture as needed, the professionals generally have their pick of tools to apply. However, the recently released Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure from the Trump Administration can be read to require federal agencies to adhere to the NIST Cybersecurity Framework. The Order requires agency heads to present a risk management report to the OMB describing their plans to implement the Framework. Given this current mandate, it is possible that a similar requirement could be made of all major government contractors, as well. On the same issue, Eric Rosenbach, a Lecturer in Public Policy and co-director of Harvard University's Belfer Center for Science and International Affairs, told senators in a written testimony that Congress should mandate all critical infrastructure providers to adopt the framework. Rosenbach, who testified before the U.S. Senate Committee on Homeland Security and Governmental Affairs, cited recent ransomware attacks on the City of Atlanta and Boeing to highlight that there are palpable threats that need addressing.

"Cyber risk affects all corners of our economy and society. It is a whole-of-nation threat. It can only be successfully addressed with a whole-of-nation effort. The Government has a leading role to play. But ultimately, actions by private enterprise and non-government organizations will be key to our success," said Rosenbach.

Later this year, NIST plans to release an updated companion document, The Roadmap for Improving Critical Infrastructure Cybersecurity, which describes key areas of development, alignment and collaboration. As Matt Barrett, program manager for the Cybersecurity Framework said: “The Cybersecurity Framework will need to evolve as threats, technologies and industries evolve. With this update, we’ve demonstrated that we have a good process in place for bringing stakeholders together to ensure the framework remains a great tool for managing cybersecurity risk.”