NIST working on potential cybersecurity framework update, seeks inputs   

As per the findings of the latest edition of Sectrio’s IoT and OT threat landscape report, cyberattacks are on the rise. There has been a significant improvement in the quality of cyberattacks as well since 2020 (or in the days following the onset of the pandemic) as hacking tools that were formerly with state-backed threat actors became widely available. So while the hackers got a major upgrade, cyber defenses are still at least half a decade behind them. Little wonder that regulators are working on improving existing frameworks, regulations, and standards to add new layers to help organizations fight cybercriminals, digital adversarial elements, and hackers better.

The National Institute of Standards and Technology (NIST) has joined this list. Recently it published an RFI calling for stakeholder inputs on two cybersecurity-related areas:

• The relevance of NIST’s existing cybersecurity framework (CSF) in terms of use, adequacy, and timeliness. Are there any challenges that stakeholders are facing in integrating this framework with other NIST resources?  
• What kind of supply chain cybersecurity measures are required for NIST’s National Initiative for Improving Cybersecurity in Supply Chains (NIICS)?

Outlining the rationale behind the decision to update the framework, NIST, in the RFI, says that the current framework was last updated in April 2018 and the cybersecurity landscape has changed significantly since then. NIST, therefore, wishes to use the suggestions received to improve the framework and make it more relevant and useful. Though a direct reference to an update is not made but when one glances at the references to the antiquity of NIST CSF and the need for organizations to better manage their cybersecurity risks, it becomes clear that sooner or later these suggestions or rather the ones selected by NIST will be used to modify CSF in some manner in the days to come.

At the very least, NIST may go ahead and published an addendum to the current version of the CSF.

NIST has, in the RFI, provided a list of possible themes and topics to be addressed in the response to the RFI. The primary subjects include:

• The advantages and benefits of the CSF and how they can be measured
• Known challenges and concerns in using the CSF
• Any part of the CSF that needs change or should be deleted 
• In case NIST decides to modify the CSF, would it create backward compatibility issues?  

In addition to the above, NIST has also sought inputs from stakeholders on the compatibility of CSF with other ‘risk management resources’ which have been made available since the publication of the framework in April.

Specific topics on which NIST is seeking inputs include:

• Improving the compatibility or alignment of CSF with other NIST resources including NIST frameworks around risk management, privacy, and IoT cybersecurity 
• Organizations that are using non-NIST frameworks can share information on steps to better integrate with such frameworks
• What steps can be taken to increase the adoption of NIST CSF  
• Updating the NIST’s Online Informative References Program to cover new terminologies/concepts. This is something we have seen in the SEC’s proposed new cybersecurity reporting rules as well. With businesses running operations across geographies, new terms and concepts are created often and these get added to the vocabulary of certain businesses segments or geographies while evading use in others. NIST and SEC both intend to address the addition of such terms to improve comprehension.

On the issue of supply chain cybersecurity, NIST is looking at addressing these areas through the suggestions received in the RFI:

• What cybersecurity gaps have businesses encountered while working on or managing supply chains
• How are such gaps being addressed by these businesses?
• How can NIST help such businesses in addressing such gaps and challenges? 

NIST is viewing supply chain security as part of a larger effort to improve the overall cybersecurity posture of the US.

Supply chain cybersecurity-related topics that NIST has identified for inputs include:

• Key cybersecurity challenges associated with supply chain risk management that the NIICS could potentially address;
• The strategies and tools that organizations are currently using to manage cybersecurity-related risks in supply chains; NIST may want to know if these are enough or some gaps could potentially threaten the success of the overall supply chain cybersecurity approach a business has adopted
• Current gaps associated with cybersecurity supply chain risk management and if any NIST resources are addressing such gaps?
• How the overall cybersecurity supply chain risk management could be addressed in an updated CSF.

NIST’s continuing attention to CSF and supply chain cybersecurity is commendable. This new exercise will certainly help make CSF more aligned to the new cybersecurity realities that have emerged since the pandemic set in as well as the geopolitical tensions that have arisen in different parts of the world.  Sectrio encourages all stakeholders to participate in this effort by NIST.

The RFI response deadline is April 25, 2022.

More details on how to provide your suggestions and comments are available at this link. 

If you need more information or any clarification about this RFI please reach out to: CSF-SCRM-RFI@nist.gov or Katherine MacFarland, National Institute of Standards and Technology, 100 Bureau Drive, Stop 2000, Gaithersburg, MD 20899; (301) 975-3359.

To learn more about how to improve your compliance posture, download our compliance kits. 

We have the right threat intelligence for your critical infrastructure. Try it right now: Threat Intelligence

We also have the right cybersecurity solutions for your critical infrastructure. Allow us to give you a sneak preview of its capabilities through a no-obligation demo.