Inside Cybersecurity

July 19, 2024

Daily News

NIST framework veterans review changes in CSF 2.0 update including governance function, supply chain content

By Sara Friedman / February 27, 2024

NIST’s update to the cybersecurity framework, known as “CSF 2.0,” is an evolution 10 years in the making of work to help organizations understand risks and incorporate ways to address new challenges, according to framework veterans who were involved in the early days of the original framework’s development.

The framework was crafted by NIST in 2013-2014 under a requirement from an Obama-era executive order. The agency held workshops to gather stakeholder feedback around the country and published the first draft version of the framework in 2013.

“When EO 13636 came out in 2013, the reality is that the cyber environment was a very different time, the risk awareness of systemic cyber threats was very low other than in a few sectors. The EO clearly issued a challenge to industry to come together with the U.S. Government to create a Cybersecurity Framework that all could use, and the end result was a fantastic success,” Norma Krayem of Van Scoyoc Associates told Inside Cybersecurity.

Norma Krayem

Norma Krayem, Chair, Cybersecurity and Data Privacy Practice Group, Van Scoyoc Associates

Krayem said, “Industry worked with NIST, the White House and other key agencies and each other, to create a nimble, flexible document that was easy to use. Since then, other sectors like financial services and communications have mapped their sector to the Framework which is invaluable.”

Krayem is vice president and chair of Van Scoyoc Associates’ Cybersecurity, Privacy & Digital Innovation Practice Group and a former senior official at the departments of Commerce, Transportation and State.

“Having worked in, and with, industry on the Framework since the very beginning, the product has been a 100% success,” Krayem said, emphasizing how it integrates “11 years of lessons learned and best practices. It also comes at a much-needed time when cyber risks to critical infrastructure and beyond are at all-time highs.”

Krayem said, “Luckily, it’s also a time when we can all freely discuss cyber risks and how to address it, something that was still not commonplace in 2013. [CSF] 2.0 talks about the critical concepts that we’ve all been preaching for years, the importance of cyber as part of an enterprise risk management structure, and it added a critical element ‘Govern’ to encapsulate the [enterprise risk management] concepts, including how to talk to leadership, the C-Suite and the Board of Directors.”

NIST released the major update to the cybersecurity framework, known as “CSF 2.0,” on Monday. The framework features a new governance function and additional content on supply chain risk management. NIST considered adding a new function on supply chain, but decided against it based on stakeholder feedback.

Former CISA senior official Bob Kolasky also weighed in on the strengths of the framework and what should happen next.

Kolasky said, “The final CSF 2.0 seemed to adhere to the direction NIST had stated they were headed and I was not surprised with the final version which is not unusual as NIST is good at previewing directions and being inclusive in development. Ultimately the things that are most important about the new Framework are the addition of the Govern Function and the statement that this is intended to be a Framework for all organizations and not just critical infrastructure.”

The Govern function should drive “organizations to take processes for managing cyber risk seriously and place them in a corporate and cost-benefit decision process as part of enterprise risk management,” Kolasky said.

He added, “A critical element of Governance is designing an approach to cyber supply chain risk management as part of cyber security as third party cyber risk needs to be accounted for. I am glad that the CSF emphasizes this.”

Kolasky left government in 2022 after a 15-year career at the Department of Homeland Security and CISA where he played a role in implementing EO 13636. His most recent job at CISA put him in charge of the National Risk Management Center.

Kolasky called CSF 2.0 “a key element of an organizations approach to cyber security,” while arguing that “it needs to be implemented in a way that allows for adaptability by organizations. That isn’t a flaw in the Framework but instead a reality that an organization shouldn’t update its framework and consider that the work is over. It needs to use the Framework to be responsive to emerging threats. NIST seems to understand that.”

“In terms of next steps, I’m eager to hear how the new Framework will be reconciled with CISA’s Cybersecurity Performance Goals. There should be no daylight between those two efforts,” Kolasky said. The CPGs were updated in 2023 to align more closely with the CSF.

CSF 2.0 should be a “basis for harmonization across industries and internationally” with support from the Biden administration, Kolasky said. “The new Framework is a great baseline for alignment and I hope policy makers keep pushing for consistent application of it.”

Robert Mayer of US Telecom commented, ““Today’s release of the NIST CSF 2.0 marks another momentous milestone in our nation’s efforts to address the ever-increasing challenge of cybersecurity risk management. The impact of the original framework cannot be overstated as it fundamentally changed the way organizations around the world understood and communicated cyber risk to both internal and external stakeholders.”

“With this latest update, NIST has once again validated the benefits of collaborating with industry by establishing risk-tailored mechanisms that ensure accountability and continuous improvement,” Mayer said.

Mayer was part of an effort to develop a CSF profile in 2015 tailored to the communications sector through the FCC’s Communications Security, Reliability, and Interoperability Council.

John Miller of the Information Technology Industry Council said, “The Cybersecurity Framework has been a highly successful tool that has positively impacted the cybersecurity of thousands of organizations of all sizes in the U.S. and internationally. We believe the new version of the Framework, with its expanded scope, will provide significant continuing value to users within critical infrastructure and beyond.”

Miller said, “We appreciate that NIST addresses the complex topic of supply chain cybersecurity in a way that recognizes its importance to cybersecurity risk management, and the accompanying C-SCRM Quick Start Guide is an especially helpful resource for organizations wishing to use the Framework to address supply chain challenges the release of its C-SCRM Quick Start Guide. We commend NIST’s robust stakeholder engagement process to update this important tool and look forward to continuing our decade-long collaboration on future iterations of the Framework, cybersecurity standards, and other U.S. cybersecurity policy.”

CSF 2.0 is designed to support the implementation of President Biden’s national cyber strategy.

National Cyber Director Harry Coker told Inside Cybersecurity, “After listening to, and learning from, both industry and government partners, NIST has rolled out an important, major revision of one of the foundational documents for cybersecurity risk management. We applaud this framework as, in line with the President’s National Cybersecurity Strategy, it transitions best practices into common practices.” -- Sara Friedman (