NIST Cybersecurity Framework v2 focuses on the importance of governance and supply chain in reducing security risks

At the speed of the world moving today, enormous transformations can occur in less than a decade, especially in a field as dynamic as cybersecurity. That is why the National Institute of Standards and Technology (NIST), a U.S. government agency, has just made public the draft of version 2 of its Cybersecurity Framework, which saw the light of day in 2014.

For the past nine years, this tool has been used by thousands of companies and cybersecurity experts around the globe to undertake risk management successfully.

The NIST Cybersecurity Framework v2‘s mission is to adapt this working tool to the enormous changes that have occurred in the threat landscape over the past few years and thus help organizations around the world and in all kinds of industries to improve their defensive capabilities, prevent security incidents and, should they occur, manage them successfully.

In this article, we will break down the four keys to the NIST Cybersecurity Framework v2, highlighting the main new features incorporated, its essential characteristics, and the different uses that companies can make of it when it comes to managing risks by implementing advanced cybersecurity services.

The draft framework is currently in the public exposure phase so that the cybersecurity community can propose any changes before the final version is published.

1. Main novelties of the NIST Cybersecurity Framework v2

The main incentive for designing the NIST Cybersecurity Framework v2 was the institute’s realization that version 1 of the tool was being used not only by the organizations for which it was intended, i.e., companies in critical sectors such as banking and energy but that thousands of companies in a wide variety of economic sectors were using the framework to undertake cybersecurity risk management.

This fact, together with all the technological transformations and the increase in vulnerabilities, cyber threats, and attacks, has led NIST to carry out a comprehensive review of the framework to increase its usability and adaptability and help the tool remain a crucial ally for cybersecurity experts, companies, and public institutions.

1.1. A multi-sectoral and global tool

As a consequence of the above, the first new feature of the NIST Cybersecurity Framework v2 is that it has broadened its focus:

1. It no longer emphasizes only critical infrastructure security risks but considers all types of organizations to cover all economic sectors. This is consistent with the fact that hostile actors do not only attack companies and administrations in particularly critical or sensitive areas but any organization can be attacked.
2. Although NIST is a U.S. governmental organization, it is aware of its position as a global methodological reference. For this reason, the NIST Cybersecurity Framework v2 not only emphasizes the need to secure critical U.S. infrastructures. The tool is now designed to benefit companies and administrations worldwide significantly.

1.2. Linking the Cybersecurity Framework to other resources

Over the last decade, NIST has developed and published multiple resources to help cybersecurity experts and organizations address emerging cybersecurity challenges.

Therefore, in preparing the new version of the Cybersecurity Framework, an update of the tool was undertaken in light of the knowledge generated in resources such as:

• The Privacy Framework.
• The Secure Software Development Framework.
• A Guide for Managing Supply Chain Risks.
• The Artificial Intelligence Risk Management Framework.
  Etc.

This documentation was the fruit of multiple investigations to provide tools to manage issues vital to cybersecurity, such as supply chain attacks, security by design, or the challenges brought about by the rise of Artificial Intelligence systems.

The NIST Cybersecurity Framework v2 draws on all this knowledge to provide companies with a comprehensive approach to risk management.

1.3. Facilitating framework implementation

The raison d’être of the NIST Security Framework v2 is to be helpful to companies in curbing threats and risks. Therefore, enhancements have been introduced to facilitate the implementation of the framework within organizations:

• Implementation examples are provided to achieve the security results.
• The guide has been further developed to help companies develop their profiles and improve their implementation.
• Templates have been incorporated to help companies create their profiles and action plans to achieve the desired security results.

1.4. Cybersecurity governance and supply chain management

One of the most relevant new features of the NIST v2 Cybersecurity Framework is the inclusion of a new function at its core: governance, which covers aspects such as:

• The company context.
• Supply chain risk management has its category.
• Roles, responsibilities, and authorities within the organization.
• Security policies, processes, and procedures.
• Oversight of security programs.

In addition, it explains how to integrate the NIST v2 Cybersecurity Framework with the Privacy Framework and enterprise risk management guidance and incorporates best practices in secure software development.

It has also given greater prominence to the people, processes, and technologies involved in implementing the framework.

1.5. Clarification of levels and profiles

Finally, several changes have also been incorporated that contribute to:

• Clarifying and systematizing the NIST v2 Cybersecurity Framework levels, focusing them on three key aspects: governance, risk management, and issues related to third parties such as IT vendors.
• Emphasize the importance of continuous improvement by creating a new category in the identification function.
• Facilitate the development and updating of company profiles and action plans.

2. Optimize the management of cybersecurity risks

All the new features summarized above are designed to ensure not only that the NIST v2 Cybersecurity Framework adapts to the characteristics and needs of any organization but also to accommodate uses not yet foreseen and to continue the tasks set in motion by the original version of the tool:

• Consolidate a common language worldwide when talking about cybersecurity.
• To provide organizations with a systematized methodology for managing security risks.
• Facilitate communication between professionals and technical and non-technical teams (e.g., legal departments or communication offices).
• Propose actions that can be incorporated into cybersecurity strategies and adapted to the needs and objectives of each organization.

The framework is based on the idea that each organization has its characteristics, needs, objectives, and resources, so each company has to face different threats, vulnerabilities, and risks. In addition, each sector’s peculiarities and regulatory requirements are also different. For this reason, the NIST Cybersecurity Framework v2 is intended as an open and voluble tool that proposes a series of security outcomes, arranged in functions and categories, as we will see in the next section, to help any company to:

• Understand and evaluate. Understand an organization’s cybersecurity posture, detect security gaps, and assess progress in eliminating them, in addition to aligning policy, business, and technology issues to manage risks holistically.
• Prioritize opportunities and actions to reduce risks, considering business objectives and legal requirements.
• Communicate internally and externally about risks, capabilities, needs, and expectations.

3. The 6 Essential Functions of the NIST Cybersecurity Framework v2

As we noted when breaking down the main new features of the NIST Cybersecurity Framework v2, this tool has a core structured around six primary cybersecurity functions running continuously and concurrently.

In turn, these functions are divided into security categories and outcomes, called subcategories, to facilitate their implementation and help companies holistically address security risks. Finally, the framework includes methodological references and best practices to help companies achieve the outcomes.

The NIST Cybersecurity Framework v2 not only incorporates the governance function but also carries out a reorganization of the categories and subcategories of all the functions, intending to make them more transparent, better systematized, and easier to implement and assess.

3.1. Governance

This function occupies a central position within the NIST v2 Cybersecurity Framework, as it revolves around implementing and continuously monitoring the cybersecurity risk management strategy, expectations, and security policies. The outcomes tied to this function determine how the outcomes of the other five functions are prioritized and achieved.

The NIST Cybersecurity Framework v2 proposes up to 31 achievable governance outcomes structured around six broad categories:

• Organizational context.
• Risk management strategy.
• Supply chain risk management.
• Roles, responsibilities, and authorities.
• Policies, processes and procedures.
• Monitoring the results of risk management activities to improve and adjust the strategy.

3.2. Identify

This function is focused on determining an organization’s current cybersecurity risks. To do this, it is essential to understand all the company’s critical assets (data, software, systems, etc.), relate them to the risks, and manage resources effectively to prioritize both assets and risks.

The three categories that make up the identify function group 20 results are:

• Asset management
• Risk assessment
• Improvement

3.3. Protect

To protect critical assets, it is essential to put in place security mechanisms and controls that optimize defensive capabilities and reduce the likelihood of a security incident. Among the results included in this function are the management of identities, authentication, access control, or the IT infrastructure’s resilience to a cyberattack.

Within the protect function, we can find up to five categories, grouping 23 results:

• Identity management, authentication, and access control.
• Awareness and training of professionals
• Data security
• Platform security
• Resilience of the technological infrastructure

3.4. Detecting

An essential function of any security strategy is the detection of attacks. To this end, it is critical to have mechanisms in place to discover and analyze anomalous behavior, indicators of compromise, and other events to identify that a security incident is taking place.

The 11 outcomes of the detect function are structured around two categories:

• Continuous monitoring
• Adverse event analysis

3.5. Respond

In addition to detecting attacks and security incidents, having the tools to respond to and contain their impact on the company is essential. This function includes results such as incident mitigation and incident reporting.

The response function is structured around 13 outcomes divided into four categories:

• Incident Management
• Incident analysis
• Incident response reporting and communication
• Incident mitigation

3.6. Recover

The final function of the NIST v2 Cybersecurity Framework is recovery from a security incident. Restoring affected assets and operations and enabling smooth communication during recovery efforts are two critical aspects of this function.

There are eight deliverables in this function, divided into two categories:

• Execution of the incident recovery plan
• Incident recovery communication

4. Using the NIST Cybersecurity Framework v2

So far, we have emphasized that the NIST Cybersecurity Framework v2 has been designed as an open tool that can be adapted to the needs and objectives of any organization when managing security risks. In addition, we have also pointed out some crucial concepts when moving from theory to practice and using the tool, such as profiles or levels.

The NIST Cybersecurity Framework v2 guide details some tools used to address critical issues, such as setting and achieving business cybersecurity objectives and supply chain management.

4.1. Profiling

To facilitate the implementation of the core NIST v2 Cybersecurity Framework and achieve security outcomes, companies can build two types of profiles:

• The company’s current profile. That is the set of outcomes the organization already achieves with its security strategy.
• The target profile. That is, the desired security results to be achieved, considering business objectives, available resources, and the organization’s specific risks. Employing the target profile, companies can anticipate regulatory changes, for example, the future approval of the AI regulation in the European Union, as well as the implementation of new technology or the main trends detected by Threat Intelligence professionals.

4.1.1. Step by step

The NIST Cybersecurity Framework v2 unpacks the process of creating and using profiles through five significant steps:

1. Define the use case for the profiles: why the profiles are being created, how the company is organized, what are the assets to consider when developing the profiles, who will need to develop, review, and work with the profiles, and which people will set security expectations and objectives.
2. Gather all the information needed to develop the profiles: company policies, risk management priorities, resources, legal requirements, standards, etc…
3. Create the profiles and objectives, including the information for each selected outcome. In this phase, it is essential to consider the risks of the current security state to prioritize the measures to be implemented to achieve the target profile.
4. Analyze the differences between the profiles and create an action plan. This step is used to make effective decisions that improve risk management in a cost/benefit ratio.
5. Implement the action plan and update the profiles. The action plan must enable the organization to successfully address the security gaps and move towards the results in the target profile. Improving a company’s security program is a continuous and long-term process, so it is necessary to update the current profile to see if the expected results are being achieved. The target profile must also be updated to adapt the security objectives to a changing and increasingly complex threat landscape. The action plan needs to be modified according to the shape changes.

4.2. Selection of levels

In addition to the core (and its elements) and profiles, there is another critical concept when using the NIST Cybersecurity Framework v2: levels.

As noted throughout the article, every company is different, and their security risks, resources, and legal duties are additional. The levels allow organizations to qualitatively assess their security practices qualitatively, keeping in mind that not all companies should aspire to reach the highest level because they either lack resources or the cost/benefit is not operational. The levels are:

• Partial
• Informed risk
• Repeatable
• Adaptive

In addition, the tiers help companies establish a roadmap to address three broad areas of their cybersecurity strategy:

• Risk governance
• Risk management
• Third-party risks

Thus, the levels provide evidence of an organization’s performance and also serve to understand the effort required to move up the ranks in the areas we have just described.

They are also helpful when creating and updating profiles since if a certain level is to be reached, for example, in risk governance, the target profile must include the results required to reach that level.

In this sense, the levels help make cybersecurity decisions take into account business objectives and available resources.

4.3. Improving communication internally and externally

Adequate communication flows are critical to the success of companies, and cybersecurity is vital. The NIST Cybersecurity Framework v2 is designed to help improve communication:

• Across the organization. Improving communication around cybersecurity expectations, resources, and planning is critical so that executives, business process managers, and those responsible for implementing measures and operations can seamlessly share information and make effective decisions to meet business objectives, safeguard assets, and ensure business continuity.
• With external stakeholders. In a context such as the current one, where supply chain attacks are one of the main threats companies have to face, communication with all parties involved is essential. The NIST Cybersecurity Framework v2 can be used to:
  • Indicate to suppliers the company’s cybersecurity management requirements.
  • Report on the status of cybersecurity requirements, for example, to a regulatory body.
  • Better understand the organization’s cybersecurity posture, taking into account the systemic risks it faces.
  • Identify cybersecurity priorities specific to the economic sector in which the company operates.
  • Share information about cybersecurity practices with potential customers and business partners to clarify the company’s cybersecurity posture before agreeing.
  • Establish shared responsibility models with companies providing cloud services.

4.4. Managing cybersecurity risks across supply chains

Finally, the NIST v2 Cybersecurity Framework can be used to manage security risks in supply chains and communicate with third parties involved in them.

The relevance and complexity of today’s supply chains have the direct consequence that supply chain risk management is a critical issue for organizations that procure, source, develop, or integrate technology products and services.

To this end, the NIST v2 Cybersecurity Framework can be used in two ways: by only addressing supply chain risks when performing the governance function or by including the management of these risks in the other functions of the framework.

4.4.1. Governance Function

As noted above, the new governance function includes a category focused on managing supply chain risks.

This category includes up to 10 outcomes that can be achieved to improve how supply chain risks are managed. For example, establishing a supply chain risk management program and strategy, conducting analyses of IT suppliers and prioritizing them according to their criticality level, or including suppliers and relevant third parties in incident response and recovery plans.

4.4.2. The importance of the supply chain in all other functions

• Identify. Identifying, validating, and recording vulnerabilities associated with suppliers of IT products or services is crucial.
• Protect. For example, when authenticating users, keeping a continuous and permanently monitored log record, or integrating secure software development practices into the suppliers’ software development lifecycle.
• Detect by continuously monitoring the IT infrastructure and considering third-party hardware and software.
• Respond. Putting response plans in place if a product or service is compromised.
• Recover. Execute the recovery tasks of the incident response plan when compromised products or services are involved and proceed to restore them, performing an integrity check.

In short, the NIST Cybersecurity Framework v2 is an open tool that adapts to each company or institution’s needs, objectives, specificities, and resources to help them optimize their security strategies and effectively manage cybersecurity risks.

Tarlogic Security offers companies comprehensive advice on implementing the NIST v2 Cybersecurity Framework and a broad portfolio of advanced cybersecurity services to achieve the expected results and strengthen the company’s defensive capabilities against cyber-attacks.