NIST has announced an update to its Cybersecurity Framework. The initial version was published in 2014.
In my opinion, there are some significant changes to the framework, and I think it should be called 2.0.
Some of the key changes are:

1. Identity Management – authentication, authorisation and identity proofing
2. Supply chain risk management
3. Internal selfassessment and measurement of cybersecurity

• Do you implement NIST CSF in your organisation?
• What do you think about the changes?
• What other changes would you recommend?

• This topic was modified 1 year ago by  vijayga.

Topic

[cyborgParticipant]

My organization is in the process of implementing NIST Cybersecurity Framework (draft version 1.1).
I believe the changes reflect a sensible update that reflects that changing nature of the threats landscape.

1. Identity Management – authentication, authorization and identity proofing
– Two factors authentication as a minimum should have been required industry standard a long time ago. I am glad to see that the NIST CSF aims to emphasize that. In addition, phishing attacks usually start by spoofing an email. By leveraging a Public Key Infrastructure (PKI) organization can then enable their identity proofing capability thus, in combination with reducing user’s cyber awareness training, more effectively mitigate the risk of email spoofing and consequently spearfishing attacks.

2. Supply chain risk management
– Since network devices, ICS, and other electronic products are manufactured by multiple suppliers, the opportunity for a threat actor to implant malicious code in a component are multiple. Such code can then be used as an Advanced Persistent Threat (APT) once the component has been installed in a network. It is paramount that an organization to implement a strategy to increase its visibility and if possible control over its supply chain. In addition, to policies to quarantine and inspect and scrub any equipment before introducing it into any network.

3. Internal self-assessment and measurement of cybersecurity
– Having a clearly defined process for an organization to self-access the maturity of its security posture increases awareness and facilitates prioritization of resources.

[cyborgParticipant]

My organization is in the process of implementing NIST Cybersecurity Framework (draft version 1.1).
I believe the changes reflect a sensible update that reflects that changing nature of the threats landscape.

1. Identity Management – authentication, authorization and identity proofing
– Two factors authentication as a minimum should have been required industry standard a long time ago. I am glad to see that the NIST CSF aims to emphasize that. In addition, phishing attacks usually start by spoofing an email. By leveraging a Public Key Infrastructure (PKI) organization can then enable their identity proofing capability thus, in combination with reducing user’s cyber awareness training, more effectively mitigate the risk of email spoofing and consequently spearfishing attacks.

2. Supply chain risk management
– Since network devices, ICS, and other electronic products are manufactured by multiple suppliers, the opportunity for a threat actor to implant malicious code in a component are multiple. Such code can then be used as an Advanced Persistent Threat (APT) once the component has been installed in a network. It is paramount that an organization to implement a strategy to increase its visibility and if possible control over its supply chain. In addition, to policies to quarantine and inspect and scrub any equipment before introducing it into any network.

3. Internal selfassessment and measurement of cybersecurity
– Having a clearly defined process for an organization to self-access the maturity of its security posture increases awareness and facilitates prioritization of resources.

[Author]

Replies