The NIST Cybersecurity Framework (CSF) turned 10 years old in February 2023. The original purpose was to supply cybersecurity guidance to Critical Infrastructure vendors in the United States. However, as the complexity of cybersecurity has evolved, organizations outside of Critical Infrastructure began adopting the framework to measure maturity and identify risks. So, what could possibly be exciting about a 10-year-old assessment framework? With the broad strokes of the NIST CSF, there are practical challenges such as the scoring, industry benchmarking, and organizational applicability, which adds complexity when adopting and executing. SRA has gained insights into how to overcome those challenges from conducting dozens of assessments across Fortune 500 and Global 1000 organizations.
As the CSF begins its second decade, we revisit the framework itself, SRA’s experience with a few common challenges, and preview the coming changes.
What is the NSF CSF? A refresher:
The NIST CSF consists of a total of 108 sub-categories or controls, grouped into 23 categories, which comprise five functional areas: Identify, Detect, Protect, Respond, and Recover. These controls are measured against four “implementation tiers”: partial, risk-informed, repeatable, and adaptive.
The framework can apply to any organization, size, or sector. The differentiator being that NIST CSF is a mandatory compliance objective for Critical Infrastructure where outside industries are exempt from formal compliance. Although NIST does not require a consultancy to perform assessments, many organizations benefit from the expertise of an external firm to evaluate their cybersecurity maturity using the CSF.
What are the common challenges? How do we address them?
Having performed approximately 30 NIST CSF assessments in the last 3 years, SRA has identified several recurring challenges across organizations and sectors:
- Scoring – What does a “2.3” really mean, anyway? Whether you use NIST’s four implementation tiers or the 5-point CMMI maturity scale, there is plenty of room for interpretation when it comes to quantifying the maturity of an organization. These results often focus on a “score” for the purpose of board reporting on annual progress. Whenever measurement scores are in play at the board level, there can be an assumption that there was an overall loss in security posture if any score drops year-over-year. SRA stresses improvement where it makes the most impact and has adopted a flexible approach considering people, processes, and technologies for each NIST Domain to more clearly measure and show demonstrated improvement that keeps pace with the changing threats of any given industry. This method provides executives with a numerical value that supplies better context of where investments have been successful and where a strategic focus is required.
- Peer Benchmarking – How are other organizations like us doing this? One of the most common things a CISO wants to know when we present the results of an assessment is how they compare with other organizations. However, it can be difficult to produce a 1:1 comparison with any framework that allows for interpretation of controls and when team size, budget, and strategic focus differ between organizations. That said, SRA’s experience as a provider of 24/7 Security Operations Center (SOC), Purple Teams, Active Directory (AD) evaluations, and Ransomware Assessments allows us to draw practical comparisons based on metrics that can be baselined and highlight funding and resource prioritization to better address active threats vs. just meeting compliance.
- Control applicability – Does this really matter for us? While the framework is flexible enough to apply to any organization, the bottom line is that some controls simply might not apply to your organization. And that’s okay! The goal is to improve your security posture, and SRA’s knowledge of the current threat landscape can help an organization determine which NIST CSF categories make the most sense to evaluate or emphasize during any given assessment.
Remember – the framework is voluntary and there is technically no “right” or “wrong” way to do it. And it’s not an audit; there are no penalties or punishments.
What’s next for NIST CSF?
The next phase in the evolution of the framework is version 2.0, scheduled for publication in early 2024. This version will incorporate further implementation guidance, added emphasis on Third-Party security, and the new Governance functional area. Adding Governance as a function distinguishes a concept which has been challenging in Information Security for several decades; we can’t protect what we don’t know about. The Governance functional area emphasizes collaboration between Information Security and the Business Enterprise on critical tasks such as Procurement, Vendor Management, and Compliance.
SRA recently contributed formal feedback to this effect as part of NIST’s community engagement process. Our proposal summarizes the importance of incorporating Information Security into Strategic Business Decisions such as mergers and acquisitions and major technology updates. If you are interested in reading our full proposal, navigate to the NIST RFI Comments site.
Having a flexible framework is valuable in that it could be applied to any type of organization. But with that degree of flexibility, there can be a lot of room for interpretation on control scoping, scoring, and benchmarking. As the CSF itself continues to evolve, so must our approach to assessing organizations against it. SRA continues to improve our own assessment methodology to address common challenges and contributes to future versions of the framework so that companies can get the most out of a NIST CSF assessment.
So happy birthday, NIST CSF! As we look to the release of version 2.0 in 2024, here’s to another 10 years of using this framework to help organizations of all types continually strengthen their cybersecurity posture.