We think that the new version of NIST’s Cyber Security Framework is a significant improvement. There’s one big change, but it is the lots of little changes that add up to a massive overall improvement. New Zealand organisations will still need to do some work to plug some of its idiosyncratic gaps, however.
Why discuss the NIST Cyber Security Framework?
At Axenic we’ve worked with ISO 27001 now for long enough to no longer find it daunting. But we fully understand that for many organisations it can feel hard to navigate and complex. If you don’t have an ISO 27001 expert on hand, it can be really hard to understand how to implement the standard, and hard to know if you’ve met it. So we’re not surprised that people sometimes look for alternatives. Especially if your business doesn’t need the piece of paper to prove to your customers that you are actively managing security. I can just imagine the conversation at NIST:
“Federal government agencies need some guidance on how to do cybersecurity well, but this ISO 27000 thing is just too hard. Can you make us something simpler?”
“Yes, sure, hang on a moment.”
But was it really simpler?
I’ve worked with the NIST Cyber Security Framework a few times. Certainly on the face of it it seems better organised than ISO 27001, with a clear hierarchy of elements. However, when I tried to use it in anger I found that its subcategories were hard to apply in real life: vague and often over-broad, it was hard to tell (from a design perspective) how you might meet them, or (from an audit perspective) whether you had.
There is also quite a bit of additional ambiguity in the method for using that core that many people just skipped. You are supposed to do a risk assessment and use that to decide which of the sub-categories applied to your organisation (this is another area where the NIST Cyber Security Framework is closer to ISO 27001 than it at first appears). Instead most people just used the subcategories as a checklist.
So what about this new version?
So for everyone who has struggled with the details of NIST Cyber Security Framework, there is good news: NIST are working on a new version and there is a draft of it available. There is lots to like about this new version, but some of the original concerns remain. Below are our key thoughts – good and bad – about the draft version.
What we like
Gives governance its due
Adding a new top-level governance function is a significant step in the right direction. The governance items that were scattered through the other categories never felt like a good fit, and pulling them all together makes it easier to see the connections.
It’s also nice to see policies getting some decent coverage. It always seemed strange to me that governance stuff was shoehorned into “Identify”, “Protect” and “Detect”.
Less vague
When I looked at the details of the original version I often asked myself “what do they mean by that?” The descriptions were vague and ambiguous: open to multiple, very different, interpretations. With the new version of the NIST Cyber Security Framework, a lot of that vagueness has been eliminated. The descriptions are now a lot more precise and specific. In short, they are much more useful if you are wondering what to do to meet the objective, or wondering whether what you have already done meets it.
For example, under “Protect: Platform Security” the second item (PR.PS-02) now reads “Software is patched, updated, replaced, and removed commensurate with risk” where it used to read “A vulnerability management plan is developed and implemented”. We think this is much clearer, more precise and more measurable.
In addition, they are looking to add example implementations to further clarify each item. This will be very helpful when it is done.
Better aligned to ISO 27001
We’re not going to quantify this, but it feels like the new version is better aligned to ISO 27001. What gives us that feeling? Well, the additions plug some gaps between the framework and ISO 27001, and the clarifications make it clear that certain parts of the framework cover the same topics as ISO 27001 (where it wasn’t clear in the previous version).
What we don’t like
Too much incident response, not enough incident management
There is way too much detail on incident response (it makes up a disproportionately large amount of the entire document) and very little on other aspects of incident management (e.g. preparation, planning). When we talk to customers about incident management we stress the importance of good preparation and planning (including training and testing your response plan and processes) to successful incident management. None of this gets adequate coverage in this new version.
Around one third of the core framework is dealing with incident response – as important as it is, that seems excessive.
Still no assurance
Security assurance is still almost completely absent from the framework. There is very little that speaks to how we gain assurance that our security measures are effective in managing our risks – and how we demonstrate to stakeholders that this is the case. One key way that we do this is through control audits – but audits are mentioned only in passing and only in the context of examining suppliers. If you are required to comply with NIST CSF, this may be covered in your compliance requirement. However, if you select NIST as your framework of choice, that part is definitely missing.
Still no compliance
Security compliance activities are entirely missing from this (and the previous) version. For many of our clients, understanding their compliance requirements and then demonstrating that they meet those requirements is a significant part (and benefit) of their security work. With private sector clients, this usually includes laws like the Privacy Act and contractual obligations like PCI-DSS. For government clients, it can also include compliance with specific laws and policies. It’s a shame that this doesn’t even rate a mention.
Personnel security is light
It is in there – but boy is it light. A single sentence on screening, and a single sentence on all other personnel controls seems like not enough, especially given all the description on technical controls. (Unless that is what they think of insider threat!?)
What we recommend if you want to use it
Let’s assume – despite the consultation period – that the final versions will largely have the same form as this draft. If you are an organisation in Aotearoa looking to use the new framework here’s what we suggest you do:
- Plug the assurance and compliance gaps. Add a couple of items (under governance) to cover off meeting your assurance and compliance obligations – especially if you work at a government agency.
- Spell out your expectations around personnel security. Be clear and specific about the measures that your organisation needs to do to deliver on those high level statements.
- Don’t forget the implicit incident management concepts – prepare for incidents, and manage the lessons learned.
Otherwise – go forth and enjoy! It looks like the new version will be a big improvement, and this version will be so much easier to use and follow.
Here at Axenic we help our clients with whichever framework, standard, method etc. that they prefer. While we have deep experience with ISO 27001, we’ve also worked with the NIST Cyber Security Framework, CIS Critical Security Controls, NZ Information Security Manual, NIST 800 series and more. They all have their strengths and weaknesses. Come and speak to us about which one might be right for you.