John DiMaria of the Cloud Security Alliance says the cloud aspects of supply chain security should be a critical part of NIST’s effort to update its cybersecurity framework, as companies face a pressing need to understand their responsibilities amid a historic shift to cloud-based services.
“There is a lot of outsourcing in the migration to cloud so supply chain security becomes essential,” DiMaria told Inside Cybersecurity. “Looking at the [prominent] recent breaches and ransomware attacks, a lot have to do with supply chain. But you’re responsible for your data from cradle to grave,” regardless of whether it’s stored in the cloud, he stressed. “A lot of people don’t realize that.”
The National Institute of Standards and Technology recently released a request for information to gather feedback on its planned “CSF 2.0” update. The RFI was published on Feb. 22 in the Federal Register, starting a 60-day public comment period that runs until April 25. NIST official say supply chain issues will be a featured topic in the revamp process.
DiMaria is assurance investigatory fellow at the Cloud Security Alliance and a former cyber leader at the BSI Group focused on “standards-based solutions” for organizations. He has been closely involved in the development and uses of the CSF since its launch nearly a decade ago. BSI was a pioneer in certifying industry use of the NIST framework.
CSA has developed a “shared responsibility model” for cloud security that the group will highlight in its comments to NIST under the agency’s request for information, DiMaria said.
Stakeholders throughout a supply chain need to know “who’s responsible for each control,” DiMaria said, adding there must be “a much higher level of assurance that everyone is watching their own supply chain.”
DiMaria said keys to the CSF 2.0 update will include “pulling together [work done in the separate NIST] privacy framework and adding supply chain pieces to make it a holistic document.” He said “updating the mapping” in the cyber framework to address cloud and supply chain controls “will be very useful.”
“I’d like to see the [CSA] cloud controls matrix added,” DiMaria said. “They haven’t really addressed cloud controls yet in the framework. They should cross-reference sector-specific controls that address cloud.”
And, he said, “It’s very critical that they’ve left it as a guidance document instead of making it more prescriptive. Keep it as a guidance so you can make your own decisions.”
DiMaria said, “The cybersecurity framework itself is a good guidance document for organizations to understand what they want to do on cyber. It details the standards, it maps to international standards, and it provides a roadmap to help get you where you want to go.”
He observed that NIST Special Publication 800-160, which is also in an update procedure, “is all about reducing complexity in security engineering, it’s a very well-written document.”
The security veteran pointed to CSA’s “STAR” certification program which “builds on other standards too under the motto of ‘implement one, comply with many.’ We’re interested in this kind of model,” he said, with a focus on “less complexity.”
“I’m definitely looking forward to the [CSF] update, it’s been a long time coming,” DiMaria said. “Let’s dust it off and update it.” – Charlie Mitchell (cmitchell@iwpnews.com)