NIST Cyber Security Framework 2.0 Workshop - A Summary

On Wednesday 17th August, I attended a workshop for the development of the NIST CSF framework version 2.0 as a community stakeholder. It was a one day workshop, based on a recent RFI issued to the community and internal working groups at NIST. The workshop was based on the thematic outputs of these workstreams and drilled down into on six key areas, considered most important to enhance in version 2.0 of the CSF:

• A general discussion of CSF 2.0
• CSF Profiles
• International use and alignment in the CSF
• Consideration of Governance in the CSF
• CSF Measurement and Assessment
• Consideration of Supply Chain Cybersecurity in the CSF

The six panels each comprised a small number of subject matter experts (including NIST representation), a moderator and a simultaneous feed of comments and questions from the CSF 2.0 Slack group. The objectives of the panels were to:

• Share and learn about organisations’ use of the Cybersecurity Framework, and suggestions for improvements.
• Review comments received during a recent NIST Cybersecurity Request for Information (RFI).
• Discuss themes identified during the RFI analysis (with a focus on international, governance, measurement, and supply chain topics).
• Learn what NIST have planned for the future (and how to get involved).

In this post, I have provided a summary of each of these sessions based on detailed notes I took during the panels. I caveat this with the possibility of errata, tainting by my personal opinion and unintentional misapprehension. I’m happy to provide the raw notes to interested parties, however, the full sessions were recorded and will be shared in a couple of weeks’ time. Overall, I think NIST did a good job.

General Summary and TL; DR

Across all the sessions a few themes emerged that were interesting, and indicative of what CSF 2.0 will consider.

• NIST wish for the CSF to remain as voluntary but continue to welcome regulators using the framework as a general basis internationally.
• There was general feedback that there isn’t a lot of support or guidance for using the CSF. This was addressed by NIST and the panel members a number of times, in terms of getting better at signposting existing resources and the community reflexively signposting contributions back to NIST.
• There was clear consensus that the framework needs to support modern technology better, such as Cloud and AI (given its evolution since 2018). However, this was coupled with the sentiment that the CSF should remain technology neutral (phew).
• There were clear indications of extending Governance and Dependency Management components into the framework, citing that it should mirror and be interoperable with the approach taken in the NIST Privacy Framework .
• We should expect to see more sector and size/stage specific Profiles and initiatives co-run with private industry and international regulators, as this is seen as key to adoption and supporting use of the CSF.
• The NIST CSF should continue to integrate with international standards (such as the ISO27000-series) and interoperate with key NIST documents, especially: Risk management resources such as the NIST Risk Management Framework, the NIST Privacy Framework, and Integrating Cybersecurity and Enterprise Risk Management (NISTIR 8286), Trustworthy technology resources such as the NIST Secure Software Development Framework, the NIST Internet of Things (IoT) Cybersecurity Capabilities Baseline, and the Guide to Industrial Control System Cybersecurity and Workforce management resources such as the National Initiative for Cybersecurity Education (NICE) Workforce Framework for Cybersecurity.
• Development is ongoing for 2.0 and not finalised, stakeholder engagement will help drive this forward. NIST was given the directive to coordinate the process of updating the framework (rather than dictate) and are keen that community stakeholders’ views to be central.
• Supply chain risk management will be given greater attention and expansion. Alignment with NIICS is also essential. References were made to supporting the concept of shared responsibility models; however, it was not clear how this may be achieved.
• The importance of alignment with the Cyber Maturity Model (CMM) was stated.
• Improvement in the support for SMEs was discussed, with the concept of highlighting essentials that are more achievable. The idea of creating Profiles aligning to organisational ‘stage’ was also floated.

Panel 1: NIST Discussion of CSF 2.0

Key Questions:

• What are the big issues CSF 2.0 will confront?
• With the need to cater for Cloud, IoT, Internet-of-everything, how does 2.0 need to cater for these changes?
• NIST needs to give more guidance to adopters of CSF (from RFI), What would this guidance look like?
• One of the concerns that was raised (in the RFI), was that CSF was linked to regulation in some cases. What would this look like going forward in 2.0?
• What’s coming up in terms of mandatory use of NIST CSF?
• What direction is NIST going to take in the future?
• Will 2.0 make 1.1 obsolete? What would be a good outcome?

This session discussed very general points around what the panel and NIST would expect to be in the CSF 2.0. In honesty, I was a bit disappointed. It was very non-descript around any elements of what will be in CSF 2.0. The questions were particularly good, and my understanding was that there had been preparatory sessions around each of the panels in advance, so when the panellists all defaulted to ‘let’s see what comes out of the workshop’ it was a bit frustrating and felt un-prepared. I am cognisant that NIST want to hear what the stakeholder community thinks, but an RFI had already been released, processed and analysed. It would have been good to get their personal views at this point and/or a sneak peek, this was one of the key session objectives after all. Moreover, there was also key feedback from the RFI that I felt was being dismissed or addressed in the wrong way. Specifically, there had been a lot of advice pertaining to needing additional guidance to use the framework effectively. The solution to this across the panels seemed to be that the current instruction was fine, it just needed to be signposted more effectively. I am often concerned when SMEs deflect in this way, under the assumption that it’s simple if you RTFM. I would hope that in the feedback from this session a challenge is raised, and information be shared on the rationale of this approach. Overall, there were a handful of ‘hints’ as to what may be key in the next version and certainly some great expert opinion on current implementation approaches and disparities.

Key Points and Themes:

• Key areas of focus for the CSF 2.0 aligns directly to the agenda. Metrication, Internationalisation, Additional guidance for usage, Mapping to other Standards, Lack of Governance, Cyber in the Boardroom and Supply Chains.
• The framework will remain technology neutral but will focus on ensuring it can cater for technical innovation (Cloud, AI, Quantum etc.). Creation of additional Profiles will help support this goal.
• The framework should continue to support a broad range of use cases and organisational sizes, with some work needing to be done around SMEs.
• NIST will focus on increasing awareness of existing materials that can help and support the use of the framework, as it’s felt that the guidance is good, and that inadequacy is not the root cause of the feedback that guidance needs improving.
• NIST will continue to add additional and enhanced ‘cross-walks’ between CSF and other standards (such as the ISO27000-series).
• NIST CSF should remain voluntary and engaged with the private sector / international communities, and even extend these relationships.
• Tighter alignment with the NIST RMF and ERM is needed, to support a more holistic use of not just NIST documentation, but for the CSF with those areas generally.

Panel 2: Lessons Learned from Development and Use of CSF Profiles

Key Questions:

• How have sector specific Profiles helped your business?
• What are wins for implementation of the outcomes of the CSF 2.0 when using Profiles?
• How do you communicate about custom Profiles? How do you know if people are using it?
• Are there any obstacles to creating profiles within an international context?
• What guidance could we improve with implementation and what information could be added?

This session was very private sector focused, with the emphasis of the session on three key use cases (Profiles) that had been developed and matured with industry partners. There were many implementation-specific examples and interesting ‘nuggets’ related to usage and impact of profiles in the context of expanding the Profile model more broadly in CSF 2.0. This is definitely one of the sessions it’s worth watching in full when it’s released. The session would be especially useful if you’re not part of one of the working groups already, or think your sector or organisation ‘type’ could benefit from additional support in implementing the CSF. What I found especially useful was the signposting of four different implementations of Profiles . The panel described in detail how they differed, have grown organically and how unique elements were created to meet specific requirements. Profiles are seen as a considerable success of CSF and likely will continue to be important within v2.0. I would hope to see NIST standardise the implementation of Profile working groups further and aggregate useful artefacts that can be extended and utilised by new groups.

Key Points and Themes:

• Some profiles (especially Communications, Manufacture and FSI) are very advanced and took input from regulators and industry practitioners.
• The Communications sector profile created sub-profiles that were supported by feeder initiatives, meaning there is profile information specific to a number of sub-sectors within the industry. These sub-profiles are generally used as a baseline for gap analysis.
• The Financial Services Profile (FSP) is broadly viewed as an extension to the CSF. The panellist from the FSI sector noted that the FSP combined with CSF was especially useful as a baseline internationally. Their internal research had demonstrated that the CSF formed the basis of 80-85% coverage of international standards they needed to comply with (at JP Morgan Chase). It is widespread practice to use NIST (in the US FSI enterprise sector) as a ‘Rosetta stone’ to address the majority of IS assurance. This means mapping / crosswalks to international standards will continue to be essential for large enterprise to benefit from CSF.
• In 2017, voting technology became critical national infrastructure in the US. This yielded a Profile created around this area, with supporting sub-profiles that contained secure reference architectures. The team also added a supplementary guide for a fictional company that walked through implementation for CSF and the relevant profiles.
• A Manufacturing industry Profile was also presented. An interesting attribute that was cited, was for supporting creation of missions and objectives that were industry specific. What was especially important to this profile was the intersection between Cyber Security and Safety. There were also some good points made around concerns in implementing technical controls and the impact it could have. This also raised the need for supporting OT within NIST and that the CSF 2.0 remain relevant to the specific demands of this area.
• Most panellists agreed that working with regulators remained a challenge. Suggestions to enhance included: scheduling regular meetings to present artefacts such as Profiles to highlight best practice, competitors talking to each other more often and the concept of Cyber Security as a team sport.
• The panel had some ideas on what would make Profiles more helpful in 2.0. They said:

1. SME don't have the resources to do full CSF Profiles. NIST could provide more actionable practices that are more lightweight.
2. Definition of key mission objectives would be useful for SMEs and guidance on how to tailor these.
3. CSF 2.0 should include and update language so that OT operators feel it's relatable to them also.
4. The inclusion of Safety, Resilience and Operational Performance would benefit CSF.
5. The development of workbooks to explain / make Profiles more relatable to Core is required.

Panel 3: International Use and Alignment in the CSF

Key Questions:

• Where do you see opportunities for increasing awareness?
• What issues do you run into when defining the standards, what challenges do you get with terminology?
• Do you believe that NIST CSF 2.0 should remain voluntary?
• How do you engage organisations that don't have a lot of maturity, but get them involved in awareness of CSF? How do you incentivise practitioners to get involved in CSF?
• How can you increase participation at SME / entry level?
• Supply chain has become more of an issue, how does Supply chain complicate CSF?

This session was quite interesting, and some key points were made in a number of areas. It highlighted some interesting work, such as a collaboration with AWS and OAS to create a summary and case study document highlighting CSF in the UK and Uruguay. There was a strong narrative that NIST should seek to influence broader adoption of the CSF internationally to reduce repeated work, and the need for more ‘cross-walks’ (mapping documents) to other standards that are broadly the same.

Key Points and Themes:

• An interesting discussion was had around SMEs. In many countries, governments take steps to incentivise adoption of a sub-set of security ‘best practices’ (citing ‘The Baseline Cyber Security Controls’ in Canada - https://www.cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations ). For CSF 2.0 it is suggested that lightweight, prioritised implementations (specific to SMEs) should somehow be factored in an analogous way.
• Supply chain was raised in the context of the international considerations. Specifically, the panel’s consensus was that guidance in CSF 2.0 should remain implementation agnostic. The example of a SBOM was given. The panel agreed that CSF should advise that an SBOM should be created for key software, but that it not define implementation, with key points you need to think about for a particular outcome.
• Some practical tips were shared at the end:

1. Use combined teams of policy and technical individuals to finalise implementation of the CSF.
2. Think about awareness and how this can be raised with non-policy / non-cyber teams.

Panel 4: Consideration of Governance in the CSF

Key Questions:

• How does the CSF better support Governance (NIST Privacy framework has been codified and contains a governance component)?
• What recommendation do you have to improve governance in CSF 2.0? What has changed vs. 2018 CSF 1.1?
• How should organisations bring cyber risks into the broader risk portfolio and how can this be made accessible for senior stakeholders?
• How has cloud affected cyber governance?
• How do we think about risk when we're interdependent?
• ?How can we communicate issues of governance within SME communities? Is CSF good enough currently for SMEs?
• How can we extend governance into supply chain and customer ecosystems?

This session covered a lot of ground in a short space of time and is one of the Panels I’d recommend experienced practitioners of the CSF to attend. The session talked a lot about Enterprise Risk Management (ERM) and the need for the CSF to integrate. The NIST Privacy Framework was cited many times as doing a respectable job at this, and how the CSF should integrate with it. There were also calls to other documents, such as the NISTIR 8286 series and SP 800-221 (draft) pertaining to integration with risk management. There was good discussion around the integration of controls and technology, briefly discussing the move to ‘real-time’ and continuous monitoring of controls, events and posture within modern stacks. The panel also called out the need for integration and interaction (of Cyber Security) with an internal ‘ERM council’, with extended discussion around how this works in US Government departments.

Key Points and Themes:

• For technology vendors, services like PaaS / SaaS means extending risk into client environments. We need to think about expanding governance on behalf of clients. CSF is already a useful tool for speaking to clients and communicating that. It would be excellent to extend this in 2.0 and allow for representation of shared responsibility models. An interesting question was raised around whether larger organisations should be responsible to protect and support their smaller suppliers. Some of the panellists stated that this was already part of their ERM frameworks. There was no indication of whether this was a consideration for inclusion in CSF 2.0.
• The use of the CSF for SMEs was covered in some good depth. It was posited that for start-ups, what they do (as a sub-set of CSF) should be based on their specific stage and maturity. There needs to be an acceptance that there will be a shift in governance (within SMEs) as an organisation grows / matures.
• Some excellent tips came from this panel in terms of implementing the CSF well:

1. Train your board how to consume CSF outputs and explain the jargon. Communications should be bi-directional and allow them to communicate their risk appetite.
2. Use the framework to help define the mission and turn it into cyber security primitives.
3. You need to set a strong taxonomy. What does everything mean, why does it matter and how big is it?
4. Split what needs to be done vs. how we need it done.
5. Allow teams to implement against the goals, resist the urge to be prescriptive.
6. Keep it simple, make it easier to do the right thing, tie everything back to business impact (using the CIA triad).
7. Don't change everything every time there's a new idea, it’s important to trend over time. Use change control and manage communications well.
8. Manual controls are bad.
9. Security is never over. You never get to good, you only get to better.
10. Know who decides risk appetite and why it matters?

Panel 5: CSF Measurement and Assessment

Key Questions:

• Discuss the purpose of CSF, how does measurement and assessment fit into that?
• From a high-level view, what does CSF implementation look like?

This panel spent quite a lot of time on maturity models and how you can measure the effectiveness of a cyber security program in the context of the CSF. There was general consensus that NIST CSF 2.0 should extend alignment with the concept of CMM/I. Cyber Insurance was briefly discussed and the opportunity to use the CSF as a benchmark in the underwriting process.

Key Points and Themes:

• The panel emphasised the need to define what effective NIST CSF implementation looks like. Going from compliance to effectiveness is important and the key concept that compliance is not complete assurance was re-affirmed.
• The need to implement a maturity model (aligned to the concept of CMM) was raised and the importance of NIST 2.0 compatibility and associated guidance.
• The CSF needs to remain measurable for cyber insurance purposes. Baselining against NIST CSF is a helpful tool in the underwriting process used by the Cyber Insurance industry. The panel member from a Cyber Insurance provider stated that regular conversations were held with CISOs relating to their implementation of the CSF and the application of metrics.

Panel 6: Consideration of Supply Chain Cybersecurity in the CSF

I was unable to attend all of this last session, due to connectivity issues. I’ll add the full details once the recordings have been released in the coming weeks.

The session was largely based on around this notice: https://www.federalregister.gov/documents/2022/02/22/2022-03642/evaluating-and-improving-nist-cybersecurity-resources-the-cybersecurity-framework-and-cybersecurity