What’s New in NIST’s Cybersecurity Framework (CSF) 2.0

NIST, NIST CSF, NIST CSF 2.0, NIST CSF 2.0 changes, CSF compliance, CSF 2.0 compliance, small business CSF
NIST, NIST CSF, NIST CSF 2.0, NIST CSF 2.0 changes, CSF compliance, CSF 2.0 compliance, small business CSF

Since 2022, the National Institute of Standards and Technology (NIST) has been working on major updates to its Cybersecurity Framework (CSF), a set of guidelines and best practices for cybersecurity which enjoys wide adoption among federal organizations and private businesses of every size.

Now that update has finally arrived in the form of a draft issued on August 8th, 2023, and not a moment too soon. With five years elapsing since CSF 1.1 was released in 2018, experts agree that the framework is long overdue for an update reflecting changes in the global threat landscape, and the evolving needs of organizations in both the public and private sector.

To that end, the CSF 2.0 draft largely conforms to proposals outlined by NIST in a concept paper earlier this year. Among other things, it adopts a broader focus extending the scope of CSF beyond its original audience of critical infrastructure operators. It also incorporates a new security function, extended guidance for supply chain security, and more.

In this article we’ll explain how NIST CSF works, how things are changing with CSF 2.0, and why your business should become CSF 2.0 compliant.

What is NIST CSF?

The earliest version of NIST CSF (1.0) was released in 2014, with the now largely forgotten title ‘Framework for Improving Critical Infrastructure Cybersecurity’. But despite its critical infrastructure focus, the framework outlined by CSF is conceptually simple, with wide application to a variety of organizations.

NIST CSF is comprised of three high-level components, a fact which has not changed with the release of CSF 2.0:

  • Core functions – CSF core functions correspond to basic cybersecurity practices and outcomes. The basic functions – “Identify”, “Protect”, “Detect”, “Respond”, and “Recover” – are further broken down into categories and subcategories.
  • Implementation tiers – CSF tiers objectively measure how closely an organization’s existing cybersecurity program conforms with the practices described by the core framework.
  • Framework profiles – CSF profiles help organizations to align their organizational requirements, objectives, risk tolerance and resource against desired outcomes of the framework.

NIST, NIST CSF, NIST CSF 2.0, NIST CSF 2.0 changes, CSF compliance, CSF 2.0 compliance, small business CSF

Unlike other NIST standards – such as 800-171 and 800-53 – NIST CSF does not describe regulations imposed by federal agencies by their partners and contractors. In most cases, CSF compliance is not mandatory, but voluntarily adopted. Even so, the general nature of its guidance has made it a leading cybersecurity standard in both the U.S. and abroad.

Big Changes in CSF 2.0

While many changes in CSF 2.0 have been anticipated since January 2023, the draft document fleshes out details of their implementation, including the announcement of forthcoming tools and resources which will aid organizations towards CSF 2.0 compliance.

1. A Broader Scope

In CSF 2.0, NIST is embracing the reality of CSF adoption, expanding its scope from a standard focused on cybersecurity for critical infrastructure to one with much broader application. This is reflected both by a change of title – from ‘Framework for Improving Critical Infrastructure’ to ‘The Cybersecurity Framework’ – and in language changes throughout the document.

More importantly, CSF 2.0 provides increased guidance to help organizations adapt the framework to their unique mission needs, and examples to illustrate the purpose of profiles. As Microsoft argued in feedback to the CSF 2.0 concept paper, profiles are an underutilized aspect of CSF which will hopefully see wider adoption going forward.

2. The ‘Govern’ Function 

While none of the core functions in the CSF have been removed, one has been added. ‘Govern’ is a special function that intersects the original five, emphasizing cybersecurity as a source of enterprise risk, and providing guidance for how an organization can make internal decisions that support cybersecurity strategy.

NIST illustrates the overlap between ‘Govern’ and other CSF core functions with an updated graphic depicting ‘Govern’ as a circle on which the other functions are supported.

NIST, NIST CSF, NIST CSF 2.0, NIST CSF 2.0 changes, CSF compliance, CSF 2.0 compliance, small business CSF

3. Focus on Supply Chain Security 

In recent years, the rise of software supply chain incidents – including the SolarWinds attack and Log4j zero day – have made supply chain security a central concern for federal agencies. It is a major focus of 2021’s ‘Executive Order on Improving the Nation’s Cybersecurity’, for instance.

It is no surprise then that CSF 2.0 emphasizes supply chain risk management practices under the ‘Govern’ function, drawing on other resources, such as NIST special publication (SP) 800-161r1, ‘Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations’. It also directs readers to use the CSF itself as a standard for vetting suppliers and choosing secure partners.

4. Better Guidance 

While the general nature of CSF guidance has contributed to its success as a cybersecurity standard, some have felt that guidance is too general at times, making it difficult for some organizations to apply. Fortunately, in addition to providing increased CSF profile guidance, CSF 2.0 also includes specific examples of security processes that help achieve core functions.

This guidance has evidently been written with small to medium businesses (SMBs) in mind, as the summary of changes states: “the draft now includes implementation examples for each function’s subcategories to help organizations, especially smaller firms, to use the framework effectively”.

5. Incorporating Other NIST Resources 

Since the release of CSF 1.1, NIST has been hard at work drafting new standards that supplement the framework well. In CSF 2.0, readers are directed to many of those standards – including the NIST Privacy Framework and Secure Software Development Framework among others – for further guidance.

Furthermore, in the coming weeks, NIST will release a CSF 2.0 reference tool which will help organizations to better understand the relationship between CSF 2.0 and other NIST standards included in its Informative References.

CSF 2.0 is a Stepping Stone to Compliance

With NIST stating that it does not intend to release further drafts of CSF 2.0 before the framework is finalized in 2024, it is safe to assume that there will not be any major changes between the draft and the final version.

Although it will not be a requirement for most federal contractors, CSF 2.0 will help businesses to form a solid cybersecurity foundation essential for compliance with NIST 800-171, 800-53 and CMMC while clarifying the risks that matter most to their business, and their ideal security position. Following NIST guidelines can also help businesses to prepare for future regulations, as state and federal governments use NIST standards to shape cybersecurity laws and guidance.

Securicon helps your business to comply with cybersecurity standards like NIST CSF 2.0 through tailored program and risk assessments. With a team comprised of veterans from the U.S. security community – including DoD, DHS, and the U.S. Cyber Commands – we are equipped to provide organizations with gap analysis, compliance consulting, assessment support, and audit preparation. To learn more, contact us today.

A False Sense of Security: Why VPNs Are Not a Silver Bullet

virtual private network security, VPN safety, VPN risks, cybersecurity strategies, VPN breaches, VPN security measures
virtual private network security, VPN safety, VPN risks, cybersecurity strategies, VPN breaches, VPN security measures

In a world of hybrid organizations and a rising number of remote employees, virtual private networks (VPNs) are rapidly growing as a solution for secure access between enterprise networks and external endpoints. In 2022, the global VPN market was valued at $44.6 billion, with experts projecting a $93.1 billion increase by 2030.

But while VPNs play an important role in today’s enterprise security stack, the growth in adoption may represent overconfidence in a technology with distinct risks and limitations. Misconceptions surrounding VPNs abound and with VPN-directed attacks on the rise, those who depend on them as a silver bullet for cybersecurity are in for a rude awakening.

VPN Breaches

In June, cybersecurity researchers reported that 360 million user data records were leaked in a breach affecting SuperVPN, a free VPN service operating in China.

While users of the application had expected it to protect their personal data and identities, instead it exposed both of them – including email addresses, location and online activities – to the open Web.

This story would be less concerning if security flaws were limited to free and consumer-facing VPN services. Unfortunately, they are not – they affect VPN products used by major companies, including federal agencies, local governments, and critical infrastructure operators.

To protect themselves from these risks, organizations must understand the limited role that VPNs play in a comprehensive cybersecurity strategy, the risks they can introduce to an IT ecosystem, and best practices for utilizing them effectively.

What VPNs Really Do

According to a study from the University of Maryland, VPN ads directed at consumers through social media include “overpromises and exaggerations that could negatively influence viewers’ mental models of internet safety”. But overpromising and exaggerations only work because viewers don’t know what a VPN really does.

In an enterprise configuration, a VPN creates an encrypted connection between a VPN client installed on a device outside your organization, and a VPN server hosted on-site or at an off-site data center. Once there, traffic is directed either to the open Web, to cloud services, or to internal resources.

When a VPN works properly, the encrypted connection between client and server forms a secure “tunnel” that provides protection against snooping from attackers: it masks the identity of remote endpoints connecting to your organization, their external destinations, and any data sent between them.

What VPNs Don’t Do

Unfortunately, VPNs do not always work properly. And even when they do, there are many risks they don’t protect against. For instance:

  • VPNs do not protect software as a service (SaaS) apps which reside outside your organization. While employees can use your VPN to connect with them, they will often choose not to since VPNs can be slow and cumbersome. This compounds the growing risk of Shadow IT that organizations already suffer from, with data scattered across unmanaged and poorly protected external services.
  • While a VPN can prevent attackers from intercepting or decrypting traffic as it travels through the VPN tunnel, it does not protect data at ingress or egress. If attackers have already compromised devices inside or outside your network – which they can do through malware, phishing or social engineering attacks – they can still spy on data sent both ways.
  • VPNs do not always prevent devices from broadcasting their real IP addresses or the destination of their traffic. Weaknesses in the VPN client – or non-VPN software – can tip watchful adversaries off to the identity of protected endpoints.

VPN-Associated Risks

Aside from the fact that VPNs do not protect against all cyber risks, they often introduce new ones, including:

  • Keys to the Kingdom – enterprise VPNs are typically deployed without layered controls, network segmentation or principles of least access to ensure that users are limited to certain resources. In this case, all a cyber actor needs is one set of VPN credentials or one trusted device to access everything on your network, making VPN-connected devices a valuable target.
  • Expanded Attack Surface – according to a report by Cybersecurity Insiders and Zscaler, 61% of organizations have three or more VPN gateways – with public IP addresses – and many have more than five. Together with the countless devices connected to your company via those gateways, this represents a significant increase in the attack surface for cyber actors.
  • Vulnerabilities – vulnerabilities affecting VPN servers or clients are often discovered, requiring patches to prevent exploitation. In 2020, one vulnerability affecting the SonicWall VPN rendered nearly 800,000 devices vulnerable to denial of service attacks and remote code execution exploits.
  • Weak Encryption – while decrypting traffic between a VPN client and server is usually an unrealistic attack vector, servers will sometimes default to weaker encryption standards in an effort to communicate with obsolete clients. In this case, interception and decryption of traffic is a genuine risk.

Best Practices for Enterprise VPNs

As with enterprise cloud solutions, some of the risks associated with business VPNs are attributable to misconfiguration or poor maintenance by the customer. There are key practices to help organizations enhance VPN security and protect against attacks. In 2020, the National Security Agency (NSA) published a few:

  1. Reduce VPN gateway attack surfaces – this means minimizing the number of VPN gateways, and also implementing traffic rules to “limit the ports, protocols and IP addresses of network traffic to VPN devices.” In general, arbitrary devices should not be able to connect with a VPN gateway.
  2. Verify that cryptographic algorithms are CNSSP 15-compliant – the Committee on National Security Systems Policy (CNSSP) 15 specifies safe encryption standards. At a minimum, the NSA recommends VPN configurations that include the Internet Security Association and Key Management Internet Key Exchange (IKE) policy and the IPsec policy.
  3. Avoid using default VPN settings – sticking with default VPN settings may enable weaker cryptographic standards. As a best practice, the NSA recommends that all settings for VPNs are manually configured.
  4. Apply vendor-provided updates/patches – as with any business-critical software, organizations should apply patches to their server-side software and devices as soon as they are issued, and enforce patches to VPN clients.

But while these recommendations will make your enterprise VPN configurations safer, they will not protect against complacency in other domains, such as a lack of multifactor authentication (MFA) or regular password updates – an absence of network segmentation or zero trust policies for internal resources – or a lack of cyber training to prevent phishing/social engineering attacks or improper handling of trusted devices.

Secure VPNs Are Downstream from Secure Organizations

While many businesses are planning to move away from VPNs to alternative solutions for remote access (such as SASE and ZTN), realistically they will still have a place in hybrid work environments for many years to come. This won’t be a problem for organizations who understand that VPNs play a small part in a larger cybersecurity strategy, and work with the right partners to eliminate security gaps that affect VPN safety.

With a team comprised of veterans from the U.S security community – including DoD, DHS and the U.S Cyber Command – Securicon is equipped protect remote access solutions (including VPNs) and harden your security position with gap analysis, compliance consulting, assessment support, audit preparation and more. To learn how we can help you, contact us today.

What Defense Contractors Need to Know About New DFARS Rules and CMMC Compliance

In 2019, the Department of Defense (DoD) announced the Cybersecurity Maturity Model Certification (CMMC), a new set of standards for cybersecurity compliance across the Defense Industrial base (DIB). Last December, the CMMC finally went into effect under an “interim rule” which gives organizations in the defense sector time to fully comply while the DoD prepares for enforcement.

Since 2017, organizations doing business with the federal government have been required to comply with the National Institute of Standards and Technology (NIST) special publication (SP) 800-171. The 110 security practices listed in NIST 800-171 have been incorporated and supplanted by CMMC with new rules to deal with modern threats. But just how much does this change for defense contractors?

In this article, we will explain the current status of CMMC under Defense Federal Regulation Supplement (DFARS) rules 252.204 – 7019. The new DFARS rules lay out a roadmap for CMMC implementation which will shape federal security for years to come.

What is CMMC?

In recent years, the number of cybersecurity threats to government agencies and contractors have multiplied due to many factors, including an increased number of cyber actors, growth of remote employment, and the Internet of Things (IoT). CMMC is focused on protecting Controlled Unclassified Information (CUI) from falling into enemy hands by responding to the problem of increased cybersecurity threats.

While NIST 800-171 shared the same purpose, its role was hindered by a self-certification process which sometimes resulted in substandard levels of compliance across DIB organizations. In the face of rising cyber incidents, the DoD has decided that stricter standards must be enforced.

The CMMC is envisioned as the next step in federal security compliance, requiring organizations to undergo a third-party assessment before they are eligible to apply for sensitive defense contracts. Despite stricter standards, the CMMC also provides greater flexibility through five tiers that recognize different levels of cybersecurity maturity.

The Interim Rule

Last November, the DoD unexpectedly issued an “interim rule” which creates a period of transition before CMMC is fully implemented. The details of this transition are outlined in an update to DFARS (DFARS 7019).

  • Rule 7019 – defense contractors that process, store or create CUI are still required to submit a NIST 800-171 self-assessment and submit their score until CMMC is fully implemented
  • Rule 7020 – if the government decides that a further assessment is necessary, defense contractors must grant access to their facilities, systems and employees.
  • Rule 7021 – the CMMC is now Defense Department policy. This rule lays out a timeline for compliance; an increasing number of contracts will formally require CMMC compliance until October 1st, 2025, when it will become a default requirement for all DoD contracts.

In the meantime, certified third-party assessment organizations (C3PAOs) must be verified by the CMMC Accreditation Body (AB). This may take some time: currently, there are only two such organizations, and no more than 360 are expected by the end of 2021.

CMMC: What You Need to Know Right Now

Due to the low number of C3PAOs, most organizations will be unable to receive the third-party assessment required for CMMC certification at this time. Until that changes, organizations should familiarize themselves with CMMC requirements under the interim rule and prepare to apply for certification at a later date.

Trust But Verify

With CMMC, the Defense Department is adopting a “trust but verify” policy. Moving forward, checking off boxes will not be enough: organizations will have to make a real commitment to cybersecurity if they want to be CMMC-certified.

During the third-party assessment process, employees will be interviewed, facilities will be inspected, and systems will be analyzed to ensure that proper protections have been implemented. Being prepared means adopting a mindset of cybersecurity and aligning organizational goals with the goals of CMMC.

Self-Verification Requirement

Until CMMC is fully implemented, organizations will still be required to perform NIST 800-171 self-assessments to ensure they are compliant with minimum standards. Under DFARS 7019, contractors must perform this assessment every three years in order to be considered for a contract award.

Guidelines for conducting a NIST 800-171 assessment can be found in NIST Handbook 162. Results must be documented for training purposes and submitted to the Supplier Performance Risk System (SPRS). This requirement will elapse on October 1st, 2025 when CMMC becomes mandatory for all defense contracts.

Cybersecurity Maturity

The “maturity” portion of CMMC is reflected in five certification tiers which recognize that different organizations are farther along in their cybersecurity program than others. These levels are summarized below:

  • Levels 1 – 3 – right now these are the only levels whose certification standards are fully known. They correspond to Basic, Intermediate and Good “cyber hygiene. Level 3 includes 130 total security practices, and is roughly equal to NIST 800-171 in the level of cybersecurity it provides.
  • Level 4 – includes “enhanced” security requirements for a “Proactive” security program. At Level 4, organizations are expected to be prepared for advanced persistent threat (APT) groups and their tactics.
  • Level 5 – entails highly optimized cybersecurity practices for an “advanced” security program. At this level, organizations must be able to defend sensitive data from advanced cyber actors.

When CMMC is fully implemented, all contractors handing CUI will be required to achieve level 3, just as all are currently required to meet the requirements of NIST 800-171. Level 3 will remain the most common certification level on DoD contracts, with levels 4 and 5 reserved for highly sensitive applications.

Prepare for CMMC With Securicon

Based on our years of experiencing conducting assessments for compliance with NIST regulations like SP 800-53 and SP 800-171 which form the basis of CMMC, Securicon can perform readiness assessments and mock audits to help your organization prepare for the real thing. With a DoD background, our world-class experts are ready to take stock of your IT assets and build a security response plan that is tailored to your organization’s needs.

Securicon provides information security solutions to public and private sector organizations. Our expert cyber security teams help our clients manage and secure their Information Technology (IT) and Operational Technology (OT) environments by providing vulnerability and penetration testing/assessments; governance, risk and compliance services (GRC) and security architecture review and design services.  Contact Us to learn more!