What's next for NIST cybersecurity framework?
- By Sara Friedman
- May 16, 2017
While it is too soon to assess the total effect of the WannaCry ransomware attacks that affected hundreds of thousands of computers around the world, officials at a May 16 National Institute of Standards and Technology Cybersecurity Framework event emphasized the need for good cyber hygiene.
“We will never able to block all attacks, but we can make sure that the damage isn’t too big,” said Aviram Atzaba, head of the methodology center at Israel’s National Cyber Security Authority. “We should be able to keep the hygiene so once something like the attack happens, we are able to detect and recover from it in a manner in which the business is not affected.”
Israel used NIST’s 2014 Cybersecurity Framework controls and the International Standard for Organization’s standards and tailored them to fit the industry-specific needs of the Israeli business environment, Atzaba said.
In the United States, Marilyn Zigmund Luke, senior counsel and compliance officer at America’s Health Insurance Plans, said she sees companies sharing information on data breaches among potential victims as critical to helping stop the spread of cyberattacks.
If information on a cyberattack can be quickly shared, “other entities can respond, detect and go through their own processes without waiting,” Zigmund Luke said during a separate panel discussion.
Zigmund Luke said private companies are now more prepared for attacks than they were “several years ago,” but she acknowledged that the threats are constantly changing.
“From last week, we learned that there are always going to be new variants, which [we’re] are not sure about and our federal partners are still evaluating to see if we can be protected,” she said. “We need to recognize that this is a highly volatile and evolving area as we continue to make updates and look at compliance issues.”
As federal agencies and industry stakeholders continue to work on the NIST Cybersecurity Framework 1.1, Matt Barrett, program manager for the framework, discussed the 129 comments received in April on the proposed update.
“We want to design the framework to become [architecture] and technology agnostic, but also have backwards compatibility with version 1.0,” Barrett said. “It is a living document, so it needs to be interoperable and compatible to ensure continued alignment.”
Barrett was speaking ahead of working sessions during the two-day NIST event to get perspective from stakeholders on the draft framework including measurement criteria, supply chain risk management, identity and implementation tiers.
The proposed Cybersecurity Framework 1.1 is the result of an 18-month process to revise the standards put in place in 2014, so that they address the current needs of industry and meet federal technical standards.
The workshop comes just days after President Donald Trump issued an executive order directing federal agencies to adopt the framework, which originally offered guidance for critical infrastructure sectors.
As a result of the May 11 executive order, NIST issued a draft implementation guide for federal agencies the next day to help them understand how to incorporate the framework into the NIST risk management standards that are already in place. The guide outlines eight ways the framework can help agencies address common cybersecurity-related responsibilities:
- Integrate enterprise and cybersecurity risk management
- Manage cybersecurity requirements
- Integrate and align cybersecurity and acquisition processes
- Evaluate organizational cybersecurity
- Manage the cybersecurity program
- Maintain a comprehensive understanding of cybersecurity risk
- Report cybersecurity risks
- Inform the tailoring process
For more information on how agencies can address the Cybersecurity Framework in their risk management processes, NIST’s “Cybersecurity Framework: Implementation Guidance for Federal Agencies” can be found here.
Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.
Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.
Friedman can be contacted at [email protected] or follow her on Twitter @SaraEFriedman.
Click here for previous articles by Friedman.