Draft update to NIST Cybersecurity Framework talks about Supply Chain Risk Management and measuring cybersecurity
The National Institute of Standards and Technology (NIST), a measurement standards laboratory under the US Department of Commerce released draft Version 1.1 of its Cybersecurity Framework last week. NIST is seeking feedback and the deadline for submission is April 10, 2017.
Updates include addition of an entirely new section on measurement and demonstration of cybersecurity and Supply Chain Risk Management (SCRM) considerations in all sections throughout the document, refining the language of the Access Control Category to better define and account for authentication, authorization, and identity proofing and better explanation of the relationship between Implementation Tiers and Profiles.
Version 1.0 of the Framework for Improving Critical Infrastructure Cybersecurity, or the Cybersecurity Framework, released in February 2014, after a year-long consultation between public and private sectors and academia has become one of the most important cybersecurity reference standards for governments and corporates globally. NIST had announced in June 2016 that it would be refining the cybersecurity framework. The proposed updates are based on feedback from Cybersecurity Framework Workshop 2016 and responses to a December 2015 Request for Information (RFI) entitled Views on the Framework for Improving Critical Infrastructure Cybersecurity.
Matt Barrett, NIST’s program manager for the Cybersecurity Framework (OpenGov spoke to Matthew Barrett, Program Manager, Cyber Security Framework last year) said,“We wrote this update to refine and enhance the original document and to make it easier to use. This update is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation.”
Cyber SCRM, as its name indicates, encompasses cybersecurity in the entire supply chain from information technology (IT) and operational technology (OT) suppliers and buyers, along with non-IT and non-OT partners. Examples would include a small business selecting a cloud service provider or a federal agency contracting with a system integrator to build an IT system.
Having strong cybersecurity implementation within the organisation might not be enough, as poor manufacturing and development practices any point within the cyber supply chain can introduce vulnerabilities. The objective of cyber SCRM is to identify, assess and mitigate the risks from such products and services.
SCRM needs to be factored into Protection, Detection, Response and Recovery protocols of organisations. The draft adds sections on SCRM in all 4 of the implementation tiers (‘how an organization views cybersecurity risk and the processes in place to manage that risk’) of Partial, Risk-informed, Repeatable and Adaptive.
The draft framework lists the following as possible Cyber SCRM activities:
- Determining cybersecurity requirements for suppliers and IT and OT partners
- Enacting cybersecurity requirements through formal agreement (e.g. contracts),
- Communicating to suppliers and partners how those cybersecurity requirements will
- be verified and validated
- Verify cybersecurity requirements are met through a variety of assessment methodologies
- Governing and managing the above activities
Measuring and demonstrating cybersecurity
This new section looks at metrics for creating meaning and awareness of organizational security postures by aggregating and correlating measures. It goes on to define measures as “quantifiable, observable, objective data supporting metrics.”
The draft says that the objective of measuring cybersecurity is to correlate cybersecurity with business objectives, to understand and quantify cause-and-effect.
It points out that correlating cybersecurity metrics to business objectives would often be more complex than measuring one cybersecurity result. The draft highlights that isolating cybersecurity outcomes and business objectives in terms of a cause and effect relationship is one of the biggest challenges with regards to measuring cybersecurity and care must be taken that there is true correlation between a given cybersecurity outcome and business objective.
The expense associated with a measurement system is taken into account, with the draft framework recommending that the accuracy and expense of a system need only match the required measurement accuracy of the corresponding business objective.
Read the press release here.
Read the Draft version 1.1 of the Cybersecurity framework with markup here.