What’s New in NIST’s Cybersecurity Framework (CSF) 2.0

Posted on
NIST, NIST CSF, NIST CSF 2.0, NIST CSF 2.0 changes, CSF compliance, CSF 2.0 compliance, small business CSF
NIST, NIST CSF, NIST CSF 2.0, NIST CSF 2.0 changes, CSF compliance, CSF 2.0 compliance, small business CSF

Since 2022, the National Institute of Standards and Technology (NIST) has been working on major updates to its Cybersecurity Framework (CSF), a set of guidelines and best practices for cybersecurity which enjoys wide adoption among federal organizations and private businesses of every size.

Now that update has finally arrived in the form of a draft issued on August 8th, 2023, and not a moment too soon. With five years elapsing since CSF 1.1 was released in 2018, experts agree that the framework is long overdue for an update reflecting changes in the global threat landscape, and the evolving needs of organizations in both the public and private sector.

To that end, the CSF 2.0 draft largely conforms to proposals outlined by NIST in a concept paper earlier this year. Among other things, it adopts a broader focus extending the scope of CSF beyond its original audience of critical infrastructure operators. It also incorporates a new security function, extended guidance for supply chain security, and more.

In this article we’ll explain how NIST CSF works, how things are changing with CSF 2.0, and why your business should become CSF 2.0 compliant.

What is NIST CSF?

The earliest version of NIST CSF (1.0) was released in 2014, with the now largely forgotten title ‘Framework for Improving Critical Infrastructure Cybersecurity’. But despite its critical infrastructure focus, the framework outlined by CSF is conceptually simple, with wide application to a variety of organizations.

NIST CSF is comprised of three high-level components, a fact which has not changed with the release of CSF 2.0:

  • Core functions – CSF core functions correspond to basic cybersecurity practices and outcomes. The basic functions – “Identify”, “Protect”, “Detect”, “Respond”, and “Recover” – are further broken down into categories and subcategories.
  • Implementation tiers – CSF tiers objectively measure how closely an organization’s existing cybersecurity program conforms with the practices described by the core framework.
  • Framework profiles – CSF profiles help organizations to align their organizational requirements, objectives, risk tolerance and resource against desired outcomes of the framework.

NIST, NIST CSF, NIST CSF 2.0, NIST CSF 2.0 changes, CSF compliance, CSF 2.0 compliance, small business CSF

Unlike other NIST standards – such as 800-171 and 800-53 – NIST CSF does not describe regulations imposed by federal agencies by their partners and contractors. In most cases, CSF compliance is not mandatory, but voluntarily adopted. Even so, the general nature of its guidance has made it a leading cybersecurity standard in both the U.S. and abroad.

Big Changes in CSF 2.0

While many changes in CSF 2.0 have been anticipated since January 2023, the draft document fleshes out details of their implementation, including the announcement of forthcoming tools and resources which will aid organizations towards CSF 2.0 compliance.

1. A Broader Scope

In CSF 2.0, NIST is embracing the reality of CSF adoption, expanding its scope from a standard focused on cybersecurity for critical infrastructure to one with much broader application. This is reflected both by a change of title – from ‘Framework for Improving Critical Infrastructure’ to ‘The Cybersecurity Framework’ – and in language changes throughout the document.

More importantly, CSF 2.0 provides increased guidance to help organizations adapt the framework to their unique mission needs, and examples to illustrate the purpose of profiles. As Microsoft argued in feedback to the CSF 2.0 concept paper, profiles are an underutilized aspect of CSF which will hopefully see wider adoption going forward.

2. The ‘Govern’ Function 

While none of the core functions in the CSF have been removed, one has been added. ‘Govern’ is a special function that intersects the original five, emphasizing cybersecurity as a source of enterprise risk, and providing guidance for how an organization can make internal decisions that support cybersecurity strategy.

NIST illustrates the overlap between ‘Govern’ and other CSF core functions with an updated graphic depicting ‘Govern’ as a circle on which the other functions are supported.

NIST, NIST CSF, NIST CSF 2.0, NIST CSF 2.0 changes, CSF compliance, CSF 2.0 compliance, small business CSF

3. Focus on Supply Chain Security 

In recent years, the rise of software supply chain incidents – including the SolarWinds attack and Log4j zero day – have made supply chain security a central concern for federal agencies. It is a major focus of 2021’s ‘Executive Order on Improving the Nation’s Cybersecurity’, for instance.

It is no surprise then that CSF 2.0 emphasizes supply chain risk management practices under the ‘Govern’ function, drawing on other resources, such as NIST special publication (SP) 800-161r1, ‘Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations’. It also directs readers to use the CSF itself as a standard for vetting suppliers and choosing secure partners.

4. Better Guidance 

While the general nature of CSF guidance has contributed to its success as a cybersecurity standard, some have felt that guidance is too general at times, making it difficult for some organizations to apply. Fortunately, in addition to providing increased CSF profile guidance, CSF 2.0 also includes specific examples of security processes that help achieve core functions.

This guidance has evidently been written with small to medium businesses (SMBs) in mind, as the summary of changes states: “the draft now includes implementation examples for each function’s subcategories to help organizations, especially smaller firms, to use the framework effectively”.

5. Incorporating Other NIST Resources 

Since the release of CSF 1.1, NIST has been hard at work drafting new standards that supplement the framework well. In CSF 2.0, readers are directed to many of those standards – including the NIST Privacy Framework and Secure Software Development Framework among others – for further guidance.

Furthermore, in the coming weeks, NIST will release a CSF 2.0 reference tool which will help organizations to better understand the relationship between CSF 2.0 and other NIST standards included in its Informative References.

CSF 2.0 is a Stepping Stone to Compliance

With NIST stating that it does not intend to release further drafts of CSF 2.0 before the framework is finalized in 2024, it is safe to assume that there will not be any major changes between the draft and the final version.

Although it will not be a requirement for most federal contractors, CSF 2.0 will help businesses to form a solid cybersecurity foundation essential for compliance with NIST 800-171, 800-53 and CMMC while clarifying the risks that matter most to their business, and their ideal security position. Following NIST guidelines can also help businesses to prepare for future regulations, as state and federal governments use NIST standards to shape cybersecurity laws and guidance.

Securicon helps your business to comply with cybersecurity standards like NIST CSF 2.0 through tailored program and risk assessments. With a team comprised of veterans from the U.S. security community – including DoD, DHS, and the U.S. Cyber Commands – we are equipped to provide organizations with gap analysis, compliance consulting, assessment support, and audit preparation. To learn more, contact us today.

DHS Exploring CMMC-Like Program: Will More Agencies Follow?

Posted on
Log4j cybersecurity vulnerability
Log4j cybersecurity vulnerability

The Cybersecurity Maturity Model Certification (CMMC) program has been in effect for almost a year now. In the face of rising cybersecurity threats, the program is meant to provide more robust security standards for defense contractors and a method of enforcement via third-party assessors.

But beginning a few months ago, agencies beyond the Department of Defense (DoD) have expressed interest in following the CMMC or CMMC-like programs, and now the Department of Homeland Security (DHS) has joined their ranks. Over the next year, it’s likely that more will follow, and small business owners are concerned about the potential impact of an increased compliance burden.

In this article, we’ll take a look at the DHS’s recent special notice, its potential effects on small government contractors, and how the landscape for CMMC compliance is likely to change over the coming year.

The DHS Special Notice

On August 10th, the DHS issued a special notice, announcing its intent to “advance our process in assessing industry compliance with Cyber Hygiene clause requirements”. Cyber Hygiene clauses were first adopted by the DHS in 2015 – but until now, the agency has relied on contractor self-assessment to enforce them.

Now the agency hopes to change that with a program modelled on the CMMC. It states: “our end goal is to have a means of ensuring a contractor has key cybersecurity and cyber hygiene practices in place as a condition for contract award.” Since then, the agency has been engaged in a pathfinder assessment to determine the best way forward.

The decision mirrors a similar move by the General Services Administration (GSA), which began reserving the right to survey awardees of the Streamlined Technology Application Resource for Services (STARS) III contract for “CMMC level and ISO certification” last October. But CMMC adoption is unlikely to end there.

CMMC: The Perfect Tool for Contractor Assessment

Government agencies are facing increased cybersecurity risk, especially from ransomware and supply chain attacks. This year alone, the SolarWinds and Colonial Pipeline incidents have drawn attention to the need for increased vigilance and higher accountability, culminating in an executive order that demands both.

In this context, it’s easy to understand why agencies are increasingly relying on the CMMC: they need a way to evaluate contractors for cybersecurity preparedness, and CMMC is already designed with this goal in mind. Among other key advantages, it is:

  • Based on regulations from the National Institute for Standards and Technology (NIST), which are up-to-date, and designed to address emerging threats.
  • Divided into five certification tiers, ranging from basic cyber hygiene to protection against advanced cyber actors
  • Equipped with a ready-made enforcement mechanism through certified third-party assessment organizations (C3PAOs)

In order to cope with the federal government’s demand for increased cybersecurity, more agencies are likely to follow in the GSA and DHS’s footsteps, beginning with the largest. But how is this likely to impact contractors?

Impact on Contractors

Increased cybersecurity comes at a cost, and some businesses are concerned they won’t be able to fit the bill if civilian agencies decide to enforce the CMMC’s higher certification tiers. In June, small government contractors lobbied Congress for a more lenient certification process, asking the DoD to reserve Tier 1 certification standards for most companies in the defense industrial base (DIB).

With respect to financial impact, these concerns may be overblown: the DoD has long required compliance with NIST special publication (SP) 800-171 for all defense contractors. Under CMMC, most contractors will be required to meet Tier 3 certification or below, and Tier 3 is comparable to NIST 800-171 in cybersecurity level.

Outside the DIB, NIST 800-171 has also been adopted by the GSA, National Air and Space Administration (NASA) and other agencies on a contract-by-contract basis. For contractors of these organizations, CMMC-compliance will represent continuity with their existing cybersecurity burden.

Conclusion

Within the federal government’s service supply chain, even small businesses can represent a major cybersecurity risk: attackers can use them as an entry point for organizations further up the chain, and gain access to systems with classified information. As cyber actors become more sophisticated, a higher level of security becomes necessary across the board.

In the end, it makes a lot of sense for government agencies beyond the DoD to lean on CMMC standards. Civilian and non-DoD contractors should prepare by familiarizing themselves with the CMMC, conducting NIST 800-171 self-assessments, and partnering with experts who can help them to comply with the latest federal regulations.

Based on our years of experiencing conducting assessments for compliance with NIST regulations like SP 800-53 and SP 800-171 which form the basis of CMMC, Securicon can perform readiness assessments and mock audits to help your organization prepare for the real thing. With a DoD background, our world-class experts are ready to take stock of your IT assets and build a security response plan that is tailored to your organization’s needs. Contact us to learn more.

 

Everything Government Contractors Need to Know About CMMC and NIST 800-171

Posted on

After its release in January 2020 and after many delays, the new Cybersecurity Maturity Model Certification (CMMC) has not yet been enforced in contracts from the Department of Defense or any other agency. This is expected to change this month, following updates to the Defense Federal Acquisition Regulation Supplement (DFARs). While contractors have until then to prepare for compliance reforms, many are still unaware of CMMC, DFARs, or how they both relate to a single document: the National Institute for Standards and Technology (NIST), special publication (SP) 800-171.

In this article, we’ll review the basics of SP 800-171, how it relates to CMMC, and explain why every federal contractor handling Controlled Unclassified Information (CUI) needs to be compliant.

NIST 800-171: What is It?

Since 2017, any federal contractor working with the Department of Defense (DoD) has been required to comply with the standards outlined in SP 800-171, formally titled: Protecting Unclassified Information in Nonfederal Information Systems and Organizations. Based on the more comprehensive SP 800-53, the document outlines strict rules for systems that handle sensitive information and data not meriting a “classified” designation.

NIST 800 and CMMC

This CUI is broad in scope, encompassing almost any data – scientific, financial, or operational – exchanged in the course of a government contract. Since compliance with NIST 800-171 was rolled into DFARs – a supplement to the FAR rules – it has been adopted by state and federal agencies outside the Defense department including GSA, NASA and others.

Full compliance with SP 800-171 entails the implementation of a System Security Plan (SSP) for all systems handling CUI during a contract, including email, FTP, content management platforms (CMPs), cloud platforms, project collaboration tools and more. Earlier this year, a minor revision (Rev. 2) to the regulation was released, but the basic security requirements in chapter 3 have not been affected.

NIST 800-171: Why Does it Matter?

The vulnerability of protected information has been a growing national security concern. Federal agencies are under constant attack from Advanced Persistent Threat (APT) groups and other malicious actors who may represent foreign adversaries attempting to gain an advantage over the United States. In recent times, these threat actors have shifted their attention to the massive Defense Industrial Base, seeking opportunities to steal and otherwise exploit sensitive information intercepted by government contractors.

Just this March, a Colorado-based Aerospace firm fell victim to a ransomware attack which exposed data from customers including Lockheed Martin, General Dynamics, Boeing and SpaceX. Such incidents go to show that – without adequate security controls – the supply chain of federal services can easily be compromised, representing a threat to the businesses who are targeted, their clients, and ultimately the government.

There is a good reason CUI is a protected asset under ITAR, right along military technology, arms and services: information is power, and that power becomes deadly in the hands of an enemy. Contractors entrusted with CUI or any other form of sensitive information must wield it responsibly as a protection to themselves and their customers, and that is the ultimate purpose of regulations like NIST 800-171.

How CMMC Changes NIST 800-171 Compliance

In light of evidence that a woefully small percentage of defense contractors were actually complying with NIST 800-171, the DoD began rolling its security requirements into the CMMC in 2019. The first major change is that self-assessment will no longer be enough: after October, contractors will be required to undergo third-party review to demonstrate their compliance with DFARs.

While that means that organizations will have to tighten up their compliance strategy, a second development will make the burden easier to bear: a single standard for compliance will no longer be applied to all defense partners. Under CMMC, there are five security levels and – while all require NIST 800-171 to be followed in some degree – that degree changes between levels:

  • Level 1 Basic Cyber Hygiene – requires basic safeguarding of information systems which encompass 17 security requirements listed in NIST 800-171.
  • Level 2 Intermediate Cyber Hygiene – requires an additional 55 controls for protection of CUI, coming to a total of 72 security practices.
  • Level 3 Good Cyber Hygiene –adding 58 security practices bringing the total to 130 practices. Contractors at this level must document each practice and establish a plan for maintaining compliance.
  • Level 4 Proactive – at this level, all contractors must review and measure their practices while sharing findings with upper management and establishing response procedures to changing techniques. A total of 156 security practices, including new ones from Rev. 2.
  • Level 5 Advanced – at this level, all previous requirements must be met, and contractors must have a standard process to defend against Advanced Persistent Threats (APTs).

After pending updates to the DFARs rule, compliance with NIST 800-171 will expand to second and third-party businesses and vendors working with a Defense contractor, and – at level 3 and beyond – the contractor will be required to ensure that their partners are compliant. Consequently, DFARs requirements will soon be extending to a much larger group of businesses than those working directly with the DoD.

How to Prepare

Since many businesses will have to comply with NIST 800-171 even if they are not working directly with the Defense Department and other agencies, we recommend that they prepare to comply with as much of the regulation as possible. To that end – in conjunction with a copy of CMMC V.1 – they may consult the NIST Handbook 162 to conduct a self-assessment ahead of taking on contracts under CMMC.

However, while self-assessment is a useful tool for preparation, it won’t be enough in the long run: before you are vetted by a third-party, consider partnering with veteran cybersecurity experts to make sure that your organization is meeting the requirements set down by NIST and the DoD.

To become NIST SP 800-171 compliant and avoid costly violations, organizations must take security seriously, take stock of their IT assets and fix vulnerabilities before they can be exploited. With a DoD background, our world-class experts in governance, pen testing and ethical hacking can help through technical consulting and federal security services. Contact us today!

5 NIST Updates That Will Impact Security Professionals in 2020

Posted on
NIST Updates, ics warning
NIST Updates, ics warning

It’s fair to say regulations from the National Institute of Standards and Technology (NIST) are a cornerstone to the security of our federal government: NIST documents set the standard for business operations in both the public and private sector, ranging from information security controls (SP 800-53) to cybersecurity practices (CSF). As time goes by, these documents are frequently updated, and keeping track of them can be difficult.

As we mentioned in a recent article, technology has a tendency to change faster than policy can keep up – but that doesn’t mean NIST won’t try. Every year, the agency works diligently to keep its standards current, seeking the advice of industry professionals to produce new documents ahead of future trends. With a new decade ahead of us, NIST is already hard at work, announcing new standards for IoT, privacy and much more.

To ensure your organization is prepared for the next generation of risk and compliance, keeping up with NIST’s activity is vitally important. Our staff is among the industry organizations that advise NIST, in this article, we’ll share five of the biggest updates to recently come from the nation’s foremost authority on Federal and commercial enterprise technology.

1. CMMC to Supplant SP 800-53 for DoD Contractors

The Cybersecurity Maturity Model Certification (CMMC) is by the far the biggest change to policy impacting federal partners in 2020. Although for now it mainly applies to contractors working with the DoD, that may change with time, and organizations should prepare before it goes into effect later this year.

CMMC has three major goals:

  • Consolidate – and therefore supersede – multiple cybersecurity standards, including NIST documents SP 800-53 and SP 800-171, and several international standards like ISO 27001
  • Prevent organizations from winning a contract until they can demonstrate cybersecurity preparedness
  • Gauge the maturity of a company’s cybersecurity practices and processes, as they have been institutionalized

With five gradually escalating certification tiers, in some ways the CMMC will ease the burden of compliance for federal contractors. In other ways, it will raise the bar for what it means to be “compliant,” forcing organizations to take responsibility for risk and adopt a mindset of cybersecurity across its departments. As a military contractor ourselves, we too are adapting to comply.

2. Draft for IoT Standards

The IoT security gap remains one of the greatest threats to security across federal agencies. Thanks to a lack of security controls from IoT vendors – and a lack of awareness from organizations – most IoT devices suffer from multiple vulnerabilities that can be used for espionage, data theft and much more.

In response, NIST has released a draft of IR 8259, titled Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline. The document contains policies focused on bringing IoT vendors in line with the security needs of their customers with controls like data protection, authorized software updates, End-of-Life policies and – most importantly – secure firmware designed to prevent unauthorized device access.

While compliance with IR 8259 is completely voluntary for the time being, a proposal to put NIST in charge of IoT standards remains before the House of Representatives, and may be passed at any time.

3. Privacy Framework

Federal contractors handle a lot of sensitive information, ranging from the personal data of their employees, customers and clients to levels of classified information from government agencies. As emerging data privacy laws seek to mitigate the risk of data incidents across public organizations, NIST is doing its part to prevent them in a federal context with the Privacy Framework (PF).

While the PF is only 39 pages long, it is jam-packed with advice and procedures to defend data security from threats both inside and outside of an organization. Divided into five basic sections, it is also aimed at helping organizations stay prepared for technology advancements and new data use cases:

  • Identify risk to individuals
  • Govern risk management priorities
  • Control privacy risks at a granular level
  • Communicate with stakeholders
  • Protect data from “privacy events”

Version 1.0 of the PF was released at the end of last month, after being available for public comment since September of last year. It has already been adopted by organizations outside the government and should gain wider adoption in the coming months.

4. Supply Chain Risk Management Updates

Released in 2015, SP 800-161 has existed to mitigate risks in the information and communications technology (ICT) supply chain throughout federal organizations. Now, NIST seeks to update Supply Chain Risk Management Practices for Federal Information Systems and Organizations for a new decade, following changes in federal law regarding the acquisition of ICT products in 2019, especially from foreign vendors.

In its pre-draft call for comments, NIST stated its goal to “deliver a single set of cyber supply chain risk management practices to help Federal departments and agencies manage the risks associated with the acquisition and use of IT/operational technology products and services in a way that is functional and usable.”

The ICT supply chain can introduce risk to organizations through poor design, lack of security controls and even backdoors for espionage. Since changes to SP 800-161 will be accompanied by updates to NIST SP 800-37, and SP 800-53, all federal contractors will be affected, and they should stay informed as new information becomes available.

5. Standardization of Cybersecurity Regulations

Ever feel like there are just too many security regulations to keep up with? NIST agrees: in a draft report for the National Cybersecurity Online Informative References (OLIR) Program, it states “the fields of cybersecurity, privacy, and workforce have a large number of documents, such as standards, guidance, and regulations”.

Through the OLIR, NIST aims to simplify compliance procedures through a centralized online repository of cybersecurity legislation complete with cross-references between documents, and advice from subject matter experts. Depending on the extent of the OLIR, it could change the workflow of security professionals throughout the industry and make the adoption of new standards much easier.

NIST accepted public comments on its first draft until February 24th, but we don’t know how long it will be until OLIR goes into effect, but it’s safe to assume something will be up and running by the end of this year.

Taking Responsibility

Every new update from NIST points to developing trends in technology and legislation. While keeping up with them can be difficult, the best way to stay ahead of regulations is to stay on top of risk.

Don’t stop at checking off boxes: in 2020, organizations who take responsibility for their business processes, IT infrastructure and insider threats will be the most likely to succeed on the road to full compliance.

Take stock of your IT assets and fix vulnerabilities before NIST tells you to: with a DoD background, our world-class experts in governance, pen testing and ethical hacking can help through technical consulting and federal security services. Contact us today!