NIST CSF 2.0: Govern. Why Now?

While no means a previous afterthought, the inclusion of “Govern” among the now 6 functions of the NIST Cyber Security Framework emphasizes a rise in the importance of transparency and readiness. Moreover, it brings to light a rapidly growing aspect of the cyber landscape in organizational risk. At InfoSystems, we believe in the value of both understanding the merit behind this progression and subsequently assessing the growing prominence of Governance within your policies and procedures. ?

Formerly categorized under “Identify," the function of Governance has been elevated to demonstrate a paradigm shift in cybersecurity posture. While the original 5 core functions delivered flexible policy and control implementations, the importance of oversight and clear lines of communication has been elevated in Version 2.0. This can be seen in the 27 subcategories of the newest function. ??

It makes sense that both Risk Management Strategy and Cybersecurity Supply Chain Risk Management have now been adopted under “Govern” and similarly expanded on. These two categories in particular incorporate all aspects of cyber tooling and policy, but more importantly require buy-in from the larger organization existing outside of IT.

This isn’t, however, just a realignment for the two categories. NIST CSF 2.0 has strongly expanded the subcategories for both Risk Management and Supply Chain Risk Management. Risk Management Strategy has increased from three to seven. In particular, the following subcategories highlight an attention to detail on communication, third party consideration, and categorization.

• Strategic direction that describes appropriate risk response options is established and communicated
• Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties
• A standardized method for calculating, documenting, categorizing, and prioritizing cyber
• Strategic opportunities (i.e., Positive Risk) are characterized and are included in organizational cybersecurity risk discussions

In fact, the addition of suppliers and third parties as a risk factor highlights how significant the vendor landscape has become to cyber posture. This is similarly seen with Supply Chain Risk Management, which has doubled in scope from five to ten. While consistent monitoring is specifically addressed, the mention of activities concluding a partnership brings to light the increasing risk of third-party data collection. ??

• The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship
• Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
• Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement

Not surprisingly, this comes on the heels of several prominent breaches following Version 1.1’s release in 2018. Though, major headlines including ?SolarWinds, Okta, MOVEit, and Kaseya are still only a subset of a dangerous trend non-exclusive to any particular industry.

“The mean number of cyber breaches in respondents’ supply chains that negatively impacted their organizations, up from 3.29 in 2022, a 26% increase from our 2022 survey” – BlueVoyant

Even among the different tactics used or specific vulnerabilities exploited, the commonality is that major third-party suppliers potentially create a hazardous gateway for lateral movement. ?

It’s no secret that reliance on third party suppliers is growing and with this evolution comes added challenges. ?

• Lack of communication across business units
• An ambiguous understanding of integrations between systems and data
• Complex and stricter regulatory compliance
• A significantly larger threat landscape to manage

With the release of CSF Version 2.0, there is a clear message of further understanding organization risk and increasing the frequency with which third party vendors are assessed.

The Cyber Security Framework continues to implore the value of Organizational Profiles based on open lines of communication among business leaders that contribute to defined guidelines for risk appetite, accountability, and resources.

NIST likewise advises the integration of Enterprise Risk Management programs into other controls and policies assessing business risk. The clear message being open communication trumps a siloed divide and tackle approach.

In addition to CSF 2.0, NIST provides several resources for reference.

• NIST SP 800-161: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
• NIST SP 800-221: Enterprise Impact of Information and Communications Technology Risk: Governing and Managing ICT Risk Programs Within an Enterprise Risk Portfolio
• NIST SP 800-37: Risk Management Framework for Information Systems and Organizations

Here at InfoSystems , we approach governance and compliance from the ground up. Through a security baseline, we ensure a foundation is set across controls and policies to ensure an organizational threshold is established.

While we recommend a balanced review of different frameworks (NIST CSF, CIS v.8, ISO 27001, and more) our NIST Review will form a plan of action across all six categories and provide continuous remediation guidance. ???

Subsequently, a core tenant of InfoSystems Cyber Solutions is addressing distinct environments beyond foundational frameworks. In this regard, we provide a Policy Creation & Review service that addresses unique workflows and limits data breaches.

Moreover, we work in tandem with a distinct partner network focused on continuous monitoring and evaluation of third-party risk. If you are interested in learning more, contact us today.

InfoSystems: Security Baselining ? NIST Review ? Policy Creation & Review

With InfoSystems Cyber Solutions, you don’t have to worry. We’ll make sure you have what you need to prevent threats. And if something gets through, we’ll handle it. So, now that you know the importance of cybersecurity, take a deep breath, assess what you have and haven’t done to protect against cyber-attacks, and take the next step…

Here’s how to get started:

1. Schedule an intro meeting
2. Create a plan
3. Hire us and get exceptional results

Thanks for reading this edition of Power Forward!

Do you know someone who would enjoy Power Forward? Share it with them by hitting the “share” button below.