NIST CSF 2.0: Running for Governor

In previous articles, we looked at the NIST Cybersecurity Framework and an overview of the changes in the forthcoming version 2.0, the first major update to the framework since its initial publication in 2014. Over the next few articles, I’ll be looking in more detail at each of the six functions of the framework, starting with the newest addition: Govern.

As this is such an important part of the new framework and is a brand-new function for v2.0, we will cover this in 2 articles. In this post, we will look at organisational context, risk management and supply-chain. In our next post, we’ll cover Roles & Responsibilities; Policies, processes, & procedures; and Oversight.

Governance as a core function

Unlike the existing five functions of the NIST CSF, which have a logical process of identifying the risks; protecting assets; detecting and responding to cyberattacks; and then recovering to a normal steady state, the Govern function sits centrally to the framework. Govern sits at the core as it informs how the organisation will implement the other five functions, as shown in this illustration from the new framework draft document:

As “Govern” sits at the core is the framework, it is important to consider this function first, as it will shape and define which are the most important controls, and where time, resources and of course money, should be focused.

Can I get some context here?

The first category in the Govern Function is Organisational Context, ensuring that the strategy and values of the organisation are understood, so that security does not inhibit them. This has been expanded from the category of “Business Environment” in v1.1 of the framework and more clearly focuses on stakeholder needs & expectations, legal and regulatory controls, and a clear communication of expected outcomes. Privacy legislation is explicitly included within this category and more detail about how to align cybersecurity and privacy frameworks is included in the main body of the framework.

If security isn’t aligned properly to the business context, then it risks only existing for its own purpose and being considered a blocker to progress and agility, ultimately causing people to try and bypass it, and stakeholders not to take it seriously. Get this first bit right and security will be regarded as a core business capability, not just a necessary evil.

This is all about managing risk

The Risk Management category in v2.0 has had a significant enhancement from v1.1, bringing in clearer guidance on aligning cybersecurity risk to Enterprise Risk Management (ERM) by adopting a standardised approach to calculating risks through an established ERM framework. Having a clearly defined way to assess risks, which aligns to the same process that business operations, finance, legal and other teams assess their risks, and which also stands-up to scrutiny and challenge, ensures that these risks are taken seriously.

NIST has foundational guidance for integrating cybersecurity risk with Enterprise risk in NIST IR 8286, which gives more detailed advice on Risk assessment, focusing on enterprise risk priorities, aligning security risk registers with ERM and how to use Business Impact Analysis (BIA) to get a clearer view of how a cybersecurity incident may impact the wider enterprise.

A key challenge in cybersecurity risk management is ensuring that you can accurately represent an increase in the risks when the threats increase and an accurate decrease when controls are implemented or improved. It can be too easy sometimes to move the dial too far in either direction, to overemphasise the significance of a threat to justify investment, or to overcompensate for the effectiveness of a control, suggesting the risk has dropped significantly. Having a mature process allows you to maintain consistency and justify the rating of your risks.

The outsider is the new insider threat

Third Party Risk Management has always been a concern. With many organisations putting their critical assets, services and information in the hands of third-parties, and with those third-parties then subcontracting elements of those out to their own suppliers, it can be very easy to lose track of who holds what information, what levels of service and performance must be maintained by which external party, who is accountable for ensuring vulnerabilities are addressed, and what role must each party play in the event of an incident… and for that matter, do you even have the latest contact details for them?

Supply-chain risk is a feature of v1.1 of the framework, but like many other areas has been significantly expanded for v2.0. NIST also has a significant publication outlining Cybersecurity Supply Chain Risk Management Practices, NIST SP 800-161r1 which provides detailed guidance of how to approach, design and operate an effective approach to supply-chain risk management.

To emphasise how much this area has grown, the number of subcategories for supply-chain risk has increased from 5 to 10, with a far greater focus on the importance of understanding who your most critical suppliers are, ensuring due diligence is performed before signing any formal agreements, and once again integrating this with Enterprise Risk Management.

Suppliers are likely to be holding the keys to your kingdom, but they don’t know your company as well as you do, they won’t get the same level of awareness training as internal staff, you cannot monitor their activities as closely as you can within your own environment, and when things do go wrong, chances are your opportunities for reparation and compensation will not be sufficient to address your own costs and impact.

If you ensure that this risks are addressed before the inevitable event happens, both from a contractual perspective but also from closer monitoring and management of suppliers, you will be in a better place. Including critical suppliers in tests, exercises and other activities to ensure they are ready to respond in the event of an incident, will ensure you can minimise business disruption.

Stay tuned for the next article, where we’ll complete our journey through the Govern function of the NIST Cybersecurity Framework 2.0.