Inside Cybersecurity

June 25, 2024

Daily News

Software group urges NIST to steer away from adding more detail on supply chain into CSF 2.0

By Sara Friedman / February 23, 2023

BSA-The Software Alliance wants NIST to limit the amount of new content on supply chain risk management in the update to the cybersecurity framework and encourages the use of informative references, according to policy director Henry Young.

“Supply chain risk management is already in the framework. I think it is pretty well covered and when people want to dive more into supply chain risk management they go to the informative references including NIST 800-161, that is the right way to handle it,” Young told Inside Cybersecurity at the Wednesday NIST in-person CSF 2.0 working session event.

NIST is holding a second in-person event today to gather additional feedback from stakeholders.

NIST Special Publication 800-161 is the agency’s foundational SCRM guidance and was updated last year. The CSF includes details on SCRM in the “Identify” function.

In the CSF 2.0 concept paper, the agency says, “NIST invites feedback as to how best to address C-SCRM in CSF 2.0. Options may include: 1) further integrating C-SCRM outcomes throughout the CSF Core across Functions (integration may include supply chain separately or as a consideration as part of broader outcomes), 2) creation of a new Function focused on outcomes related to oversight and management of C-SCRM, or 3) expanding C-SCRM outcomes within the current ID.SC Category in the Identify Function.”

Young said, “Supply chain risk management is very complex and to try to cover all of it in the framework would reduce the value of the framework. How it is set up now works pretty well were supply chain risk management” with the informative references in 326-page NIST 800-161 document.

“To try to put all of the supply chain risk management in would be a disservice to the framework,” he said.

BSA is supportive of adding a “Govern” function into CSF 2.0, Young said. “Governance goes across the categories and it requires organizations, leadership to engage and oversee the risk management associated with cybersecurity and I think that’s a good thing.”

Wednesday’s in-person working sessions involved allowed stakeholders to split into six groups to discuss specific elements of the CSF 2.0 where NIST is seeking input. The topics were the relationship to standards and mappings; changes to the CSF “core”; guidance and profiles; Cybersecurity Governance; Cybersecurity Supply Chain Risk Management; and “Assessment and Measurement.”

The meeting was conducted under Chatham House Rules to encourage more in-depth discussion and opportunities for close collaboration. CSF 2.0 program lead Cheri Pascoe opened the meeting and the wrap-up featured recaps from each session moderator providing a high-level overview in a public setting.

In the first CSF core session, one individual said industry is concerned that making significant changes to the framework will undermine the investments companies have made to adopt the current iteration. If changes are made, session participants agreed that the identifier for each category should remain the same even if there is consolidation of certain categories to protect investments.

Stakeholders also expressed an interest in incorporating the concept of “notational implementation examples” first used in the NIST Secure Software Development Framework into CSF 2.0

Young told Inside Cybersecurity, “There’s a tension between changing something people like and use and improving it. I’m strongly supportive of improving this document but there is also a cost associated with people [who] use the document to organize how they think” and what can be changed.

“There will be some kind of growing pains,” Young said, while acknowledging that “it is worthwhile but it is still a change.”

On the categories, Young said, “I think some categories will end up being combined and that will be better and some will be removed or deprecated. There is room for doing that. If NIST is updating the framework about once every 10 years, it is an opportunity to remove some categories, add some categories, and that would give people a bunch of years to practice using it, get better at using it, improve cybersecurity.”

The first version of the framework was released in 2014 and followed up by CSF 1.1 in 2018.

The current “timing makes sense,” Young said. If changes are made “much more frequently, then the changes have to be smaller because otherwise it throws everyone for a loop.”

He said this “goes from CEOs who may be thinking about making risk with the framework to practitioners who are looking at the standards that are mapped.”

CSF 2.0 will include updates to the informative references, according to NIST Applied Cybersecurity Division chief and Chief Cybersecurity Advisor Kevin Stine

Stine told Inside Cybersecurity, “A lot of the discussion is on the most useful way to do it including inside the framework, outside the framework or some combination.”

At the CSF 2.0 virtual workshop on Feb. 15, NIST officials spoke about how making connections to NIST resources will be an important part of the update, specifically pointing to the Cybersecurity and Privacy Reference Tool.

“The CPRT can be an online repository to host those kinds of mappings and evolve those mappings as the different references change,” Stine told Inside Cybersecurity at the in-person meeting.

NIST’s Online Informative References (OLIR) effort offers a “more detailed mapping specification and that could be ingested into the CPRT online tool,” Stine said. -- Sara Friedman (