Are you asking the right questions about cybersecurity and risk management? For a decade, the Framework for Improving Critical Infrastructure Cybersecurity from the U.S. National Institute of Standards and Technology (NIST) has helped security leaders shape business-centric queries: How far along are security professionals, the businesses they work for, the industry sectors they work in, and their current technology and threats when it comes to digital threats? And, most importantly, how secure is secure enough?

The framework, now known broadly as the NIST Cybersecurity Framework, has helped security practitioners worldwide think differently about digital risk and assets. Alberto Friedmann heads a security consulting company based in Mexico, and he says that the framework (which was released in 2014 and revised in 2018) has been a huge help for local industries, as well as industries doing business with U.S. organizations or the U.S. government.

“It makes our customers more aware of threats,” Friedmann says. “Then they adopt a more pre-emptive risk management strategy, rather than a fully reactive one.”

Friedmann says that the big-picture questions about preparedness, awareness, and respect for cybersecurity threats outlined in the framework encourage security professionals and executives in government agencies, organizations, and companies to really see how “the lack of a fully comprehensive strategy will [negatively affect] business and operations.”

That’s why when Friedmann heard NIST was revamping the framework after 10 years and one mid-10-year-update (versions 1.0 and 1.1), he was excited.

“It focuses even more on the evolution of threats and looking for an easier and simpler format to allow organizations to address risks,” Friedmann says. “And it includes not only critical infrastructure or specific markets, but all types of organizations regardless of type or size.”

The update also comes at a time when the U.S. Securities and Exchange Commission (SEC) is enforcing new requirements for publicly traded companies that require notification of cybersecurity incidents deemed “material” to investors, according to a July 2023 SEC press release.

The fact that the CISO of SolarWinds, an IT management company, is facing SEC fraud charges related to a 2020 cyberattack is making cybersecurity and business leaders even more jumpy and hungry for guidance.

In this tense environment, version 2.0 of the NIST CSF launched. Its authors tout the framework’s new focus on “IT-room-to-boardroom” governance guidance as well as newly updated examples and resources on how to implement the CSF’s more granular cybersecurity suggestions and customize those suggestions for particular industries.

The What and Why of the Framework

NIST released version 1.0 of the CSF—less than 40 pages total, a surprisingly succinct length in the history of government documents—was released 10 years ago. NIST falls under the umbrella of the Department of Commerce and has an official mission “to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life,” according to the institute’s website.

In an August 2023 press release, Cherilyn Pascoe, director of NIST’s National Cybersecurity Center of Excellence and the former lead developer of the CSF, said the first version focused on critical infrastructure like banking and energy, rather than attempting to cover every possible industry.

In the years after its release, though, Pascoe said she was happy to discover that the CSF proved useful for any organization, “from schools and small businesses to local and foreign governments,” according to a NIST press release.

This widespread adoption of the framework inspired the developers for version 2.0.

“With this update, we are trying to reflect current use of the framework and to anticipate future usage as well,” Pascoe said when the draft version of 2.0 was made available for public comment. Emerging cybersecurity issues like supply chain risks and the threat of ransomware were on NIST developers’ minds for this version.

After a months-long period of public comment on the latest draft, version 2.0 of the CSF was made available 26 February.

Who remembers what cyber risk management was like before the framework? Greg Gatzke does.

Life in cybersecurity was all about best practices, says Gatzke, who is president of IT consulting firm and managed services provider ZAG Technical Services. “We’d just tell people, ‘Do this, do that.’ Then, we moved to checklists, putting things in the right order and comparing what one company was doing to another,” he explains.

The framework was part of a “maturing process” in cybersecurity, Gatzke says.

ZAG’s head of IT Compliance, Allen Santana, says cybersecurity professionals were “shooting from the hip.”

There were plenty of threats, but no clear national, regional, or industry cybersecurity standards at work for ZAG’s agricultural clients—a sector responsible for growing and moving food and where cybersecurity incidents that shut down work for days or weeks can be devastating.

“Lettuce doesn’t ever get fresher,” Gatzke says. “In my world, you need to recover within 24 hours or you’re toast.”

The CSF was part of the impetus for the agricultural sector to develop its own more specific standards. The trade group Produce Supply Organization developed Cybersecurity Best Practices for Produce Suppliers in 2021, turning helpful but deliberately nonspecific recommendations from NIST into a more targeted plan.

Santana says that organizations don’t always see senior leaders act on cybersecurity until they or a competitor is affected, but Gatzke says there’s been a sea change recently.

“Two or three years ago, nobody wanted to talk about cybersecurity,” Gatzke says. “Now, I'm more surprised by an organization that doesn’t want to talk about it at the board level.”

How the Framework Has Been Used

The framework’s first version—the Framework for Improving Critical Infrastructure Cybersecurity—was initiated by Executive Order 13636 from then U.S. President Barack Obama in February 2013. When it was released a year later, the framework was never made legally mandatory outside U.S. federal government agencies and some state and foreign governments that worked with the federal government. However, many organizations now require that vendors and supply chain partners follow the big-picture standards for organizing cybersecurity risk management.

Paul Tucker, chief information security and privacy officer with regional bank BOK Financial in Oklahoma, says his institution sends out spreadsheets that vendors fill out to be rated for risk.

On those risk-assessment spreadsheets, he says, “if they access and use our customer data, they rise to the top.”

The NIST CSF is geographically agnostic, too. Friedmann uses it in Mexico to align with U.S. organizations’ cybersecurity approaches, and security professionals worldwide have found value in its straightforward and broadly applicable guidance as a starting place for cyber risk management. The document has been downloaded roughly 2 million times in more than 180 countries, and it has been translated into at least 13 languages, according to Kevin Stine, NIST chief cybersecurity advisor and chief of the NIST Applied Cybersecurity Division, who was involved in both major iterations of the framework.

---

Two or three years ago, nobody wanted to talk about cybersecurity. Now, I'm more surprised by an organization that doesn’t want to talk about it at the board level.

---

Why has the CSF been so successful? Stine thinks the style of language has helped cybersecurity professionals and their bosses talk about the issue in many sectors of business and government.

“We’re a pretty technical agency, but 10 years ago, we needed to speak the language of a much broader audience than just the bits-and-bytes folks implementing cybersecurity,” Stine says. “The common language that the framework provides is a really great way to express your own capabilities and requirements of your organizations, but in a way that can be understood and acted on by not only the technologists, but the risk managers and all the different parts of the cybersecurity ecosystem.”

The business-centric language was a hit, according to Tucker.  “With standards, say, from ISO [International Organization for Standardization], it sounds like legalese,” he says. “But with the framework, you didn’t need a translation to get through the document. It really helped me get an idea of how all these things connect together.”

BOK Financial receives calls from customers whose small businesses have been hit by cybersecurity events, and Tucker points them, sometimes, to the CSF: “Legally, I can’t help them, but I can give them advice to go look at webinars on the NIST framework. It makes it easier to grasp how to recover.”

Tucker says he walks into quarterly board meetings, and BOK Financial executives use terms like “identify” and “protect.”

“I don’t think they even know where they’ve learned it from,” he says. Tucker thinks they might have picked it up from years of talk about the CSF’s five functions:

• Identify. Organizational understanding on how to manage cybersecurity risk to systems, assets, data, and capabilities.
• Protect. Safeguards to prevent cybersecurity events.
• Detect. Activities to identify events.
• Respond. Steps for action immediately after events.
• Recover. Tasks to maintain plans for resilience and restore capabilities and services in the aftermath of events.

With recent moves by federal agencies threatening fines or worse for failing to track and report cybersecurity events and notify investors, customers, and the government, Tucker says the banking industry’s eyes are wide open: “Now, even if you’re the fourth party from an event, we have to report that. We’re responsible, even that far out.”

What Version 2.0 Aims to Improve

NIST started planning a new version of the framework in February 2022, initiating a request for information and setting up workshops with stakeholders to create a core draft of an updated version of the CSF. NIST released the draft for a public comment period from August to November 2023, before publishing the final 2.0 update in February 2024. In version 2.0, the biggest change—and a significant nod to the importance of C-suite decisions and accountability—is a new function underpinning the five original ones: Govern.

To achieve the Govern function, “organization’s cybersecurity risk management strategy, expectations, and policies are established, communicated, and monitored,” according to the CSF. “The Govern function provides outcomes to inform what an organization may do to achieve and prioritize the outcomes of the other five functions in the context of its mission and stakeholder expectations.”

This function was previously included in the other categories, and its organizational context, roles, and responsibilities affect all other parts.

Gatzke likes the change: “Before this, governance was mixed into Identify and Protect, and it wasn’t clear how it touched on everything.”

NIST’s Stine says Govern deserves its new top billing: “We see ‘Govern’ being the driver for an organization or enterprise that really helps make sure you have the policies, risk tolerance, risk appetite, and approach to risk management defined at that governance level. Then, that helps to inform and influence the activities you take on from across all the other functions. There’s a feedback loop.”

If you’re looking for NIST to make the cybersecurity risk management process totally plug-and-play, though, keep looking. The document is short, but it demands deep reflection about your own organization’s risk tolerance and specific threats. People are always asking for a checklist for cybersecurity, but the NIST developers resisted the urge. Instead, version 2.0 features more implementation examples from different firms to show how to use the CSF effectively.

“The framework is really a suite of resources that includes online tools, implementation examples, and quick-start guides,” Stine explains. In addition, he says that newly developed profile examples answer the question for users: “OK, we have this framework. Now, how do we take it and customize it for our own needs?”

Public comments over the years led NIST to write new resources and reformat others for 2.0 to help users modernize and customize their approach to the framework:

• Implementation examples. These give detailed examples of how to achieve the outcomes talked about more generally in the framework’s deeper sub-categories.
• Community profiles. Collected under the banner of the National Cybersecurity Center of Excellence, these offer dozens of approaches developed for specific business sectors that can be used to compare “apples to apples” in a particular industry.
• Organizational profile templates. These can be used to develop current and target cybersecurity postures for a particular organization.
• Quick-start guides. These address highly requested issues, including:
  • Managing C-SCRM (supply chain risk management) to become a “smarter acquirer and supplier of tech products and services.”
  • Characterizing cybersecurity risk with the CSF 2.0 tier system (those four tiers being partial, risk-informed, repeatable, and adaptive).
  • Additional help for enterprise risk managers, small businesses, trade associations, or other groups looking to develop their own unique community profile.

In addition to the work of providing how-to guides and more numerous examples, Stine also says he’s excited that the big-picture framework is paired with the CSF 2.0 Reference Tool online, featured in the “Informative References” section of the website. The tool features a person- and machine-readable version of the document. This means that automated systems can better leverage the CSF in the scope of their work.

For instance, many organizations are already using—or considering using—automated governance risk and compliance tools, Stine adds.

“We wanted to provide the content not just in a format or in a way that you and I can read as humans but that can also be leveraged by machines to help bring greater automation capability to the cybersecurity risk management activities that many organizations are undertaking,” he explains.

The reference tool can be paired with the longer, more in-depth Cybersecurity and Privacy Reference Tool (CPRT) that pulls from an even fuller list of NIST documents on the topic, including privacy.

ZAG’s Santana appreciates the sentiment: “The framework is the end-all, be-all, but it’s nice to see they’re aligning their approach to smaller, lesser-known approaches.”

Just as cybersecurity has become intertwined in many companies’ risk management approaches, so too does Salvatore D’Agostino—founder of consulting and technology company IDMachines—dream of a day when privacy gets more integrated into the official framework. He figures that if companies are more transparent about exactly who they are and what data they’re gathering online and in, say, personal identification methods via security, the safer everybody will be, too. The CSF’s “sister” document is the NIST Privacy Framework Version 1.0, released in 2020.

The new framework does give a nod to privacy by including it in categories and sub-categories in the version’s Govern function: “Legal, regulatory, and contractual requirements regarding cybersecurity—including privacy and civil liberties obligations—are understood and managed.” The new document also links to NIST’s Privacy Risk Assessment Methodology (PRAM), with includes example problems to illustrate some issues when cybersecurity-related events touch on privacy.

“At the end of the day, if you’re there for safety, you’re certainly there for protecting privacy,” D’Agostino says. “And in order for there to be security, there needs to be transparency and a purpose for gathering personal information and data.”

The less data you have in your possession, the less risk it can be stolen or leaked.

Ultimately, regardless of important moves on the latest, greatest tool to tackle the latest, worst cyberthreat, BOK Financial’s Tucker tries to stay patient with the world of cybersecurity.

“Banking has been around for hundreds of years,” he says. “Cybersecurity has been around, say, 25 to 30 years. We’re all still figuring out how to do the basic stuff.”

 

Brendan Howard is host of the monthly podcast Security Management Highlights from ASIS International. He has been working in publishing and multimedia for nearly 25 years.

Additional reporting by Megan Gates, senior editor for Security Management.

 

MOST POPULAR ARTICLES

1. Alarming Trends in Cannabis Crime—There’s a Standard for That

2. Mastering Access Control Fundamentals for Cannabis Facility Security

3. A Force Multiplier: Why Physical Security Teams Should Leverage AI