Axio has worked alongside this team in many ways over the last three years. Several members of our team, including Dave White, Nader Mehravari, Lisa Young, and Pamela Curtis, participated in the original NIST CSF drafts and workshops for transportation, healthcare, and financial sector perspectives across industry and academia. At the time, my role at the US Department of Energy was to ensure the NIST CSF would not conflict with existing efforts, like the mandatory compliance with the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards or the voluntary Cybersecurity Capability Maturity Model (C2M2) efforts. Moreover, I collaborated with industry members across the electric and oil and natural gas sectors to ensure the CSF would work for their operating environments, regardless of size, function, or ownership. This critical work led to the Energy Sector Implementation Guidance document for using the NIST CSF.
Over nearly four years, industry has grown with the CSF. We have seen its adoption across multiple sectors, especially finance, healthcare, and water. While we have personally seen great success with measuring the CSF through the C2M2, many organizations have adopted different methods for assessing their adoption of the CSF. Moreover, we have seen more organizations talk about CSF functions when working across their cybersecurity supply chain, including asking suppliers to provide evidence that they are meeting contractual cybersecurity obligations. Critical infrastructure cybersecurity programs have matured as a result of the CSF dialogue since the first version was released.
The latest draft update attempts to codify some of the lessons learned since the release of V1.0, including:
- Self-assessment guidance for measuring an organization’s cybersecurity program improvement;
- Using the CSF for procurement and other supply chain decisions;
- Examining a “cyberattack lifecycle” to provide further context to the CSF;
- New subcategories (and informative references) for authentication and coordinated vulnerability disclosure; and
- A roadmap of additional discussion topics.
These new additions are meant to augment the existing CSF, meaning there is no gigantic overhaul for organizations that want to incorporate the new recommendations. That being said, without a preferred method to self-assess to the CSF, most organizations will need to either create their own metrics program or leverage a facilitator or third-party tool.
There’s a lot to consider with this new update. Axio will be working with our clients to ensure industry benefits from clear, concise, and actionable guidance. In the coming weeks we will examine the latest draft and provide our thoughts on some of the key topics, including security metrics and supply chain considerations.
Until then we’re here to help— and if your organization has any questions about the latest draft, feel free to reach out to us at firstname.lastname@example.org .
In February 2014, the US National Institute of Standards and Technology (NIST) released the first version of the Cybersecurity Framework (CSF), as directed from Executive Order 13636. Later that year, Congress passed the Cybersecurity Enhancement Act and solidified NIST’s role with critical infrastructure owners and operators, through support and facilitation of cybersecurity risk frameworks. Over the past three years, NIST has held multiple workshops and collected comments across industry, academia, and government agencies.