NIST Cybersecurity Framework update comments highlight a gamut of needed changes

In late February, the National Institute of Standards and Technology (NIST) issued a request for information (RFI) to evaluate and enhance its Cybersecurity Framework, or CSF, first produced in 2014 and last updated in 2018. Many developments in the swiftly changing cybersecurity field prompted NIST to revisit its complex and well-received template designed to help organizations best manage cybersecurity risk.

In its RFI, NIST asked a series of questions about how to improve the use of the framework. Among those questions are whether the framework allows for better risk assessments and management of risks, what relevant metrics might be used to measure the framework’s impact, and what challenges organizations face in using the framework. NIST also asked how to better align or integrate the CSF with other NIST resources, such as the NIST Risk Management and Privacy Frameworks. Finally, NIST asked how it could help identify supply chain-related cybersecurity needs and harmonize the National Initiative for Improving Cybersecurity in Supply Chains (NIICS) with the CSF.

As of the deadline of April 25, NIST received 67 responses and thousands of pages of comments from various public, private, and non-profit organizations. Given the scope of NIST’s RFI and the intricate nature of the subject, the comments ranged widely regarding the level of feedback and the number of detailed recommendations. However, some general themes emerge from these filings. The following summaries are based on five of these filings, highlighting common threads.

Current assessment of the NIST Cybersecurity Framework

Virtually all the commenters praised the framework and the benefits of adopting it. For example, American Airlines, in its submission, said that the “CSF’s five functions [identify, protect, detect, respond and recover] give us better optics into where we succeed and fail in detecting/identifying risks, protecting our processes and data, and responding to and recovering from exposed vulnerabilities.”

Cybersecurity company Trellix told NIST that it believes “the CSF has been highly successful in becoming the focused reference framework for cyber risk management processes and procedures within organizations that have embraced it. The language of the five functions allowed conversations to be had at all levels of the organization, from the board room to the security and network operations centers, and throughout corporate management.”

“Exelon has had enormous benefit from the use of the NIST Cybersecurity Framework,” the energy giant told NIST.

How to improve the NIST CSF

In terms of how NIST can improve the framework, the comments contained numerous disparate recommendations, ranging from don’t make any changes to requests for more implementation guidance. As was typical of a handful of commenters, mobile communications association CTIA asked NIST “to hold off any changes to the framework while other governmental efforts, including those mandated under President Biden’s Cybersecurity Executive Order, work themselves out. While CTIA supports keeping the CSF current, NIST should consider waiting to update the CSF in light of the myriad cybersecurity activities currently underway. Further, when NIST does update the CSF, it must be careful not to make major changes to the document’s core structure and approach.”

Trellix said that NIST should not make wholesale changes to the CSF. “Depending on the level of changes, it could vastly complicate an organization’s ability to see trends that may be emerging if the results are too radically different. We believe there is no need to make radical changes to the structure of the CSF.”

Trellix was among commenters who called for NIST to provide implementation guidance. “Organizations still require support and guidance at the outset so they can better understand what they expect to get out of it, figure a way to institutionalize consistent periodic assessments and continue to have support for it across the organization levels. Just understanding where and how to start can be daunting,” the company said.

Quite a few commenters mentioned the need for more significant consideration of off-premises cloud computing in the framework. For example, Amazon Web Services (AWS) said a “future version of CSF should include concepts that highlight the increased adoption of cloud computing since the CSF was originally published. This could include references to practices such as ‘infrastructure as code’ and secure DevOps that can provide significant advantage in implementing multiple CSF functions.”

Suggestions for relevant cybersecurity metrics

Many commenters suggested that the absence of metrics undercuts the framework’s utility. Consequently, they support the inclusion of metrics in the next iteration of the CSF. AWS said that the “CSF would also benefit from inclusion of metrics to support measuring effectiveness and how well it is being implemented. Further, measures that incentivize uptake of the framework could aid in overcoming barriers to adoption.”

“Metrics have become an essential part of how private industry communicates to leadership. Cybersecurity controls do not easily lend themselves to clean metrics. Suggested metrics for each of the core functions could be a great addition for the use of the NIST CSF,” said Exelon.

Other commenters cautioned that metrics are complicated, and NIST should pursue their inclusion with caution. “Cyber risk management is a process of continuous improvement, identifying, evaluating, and mitigating risk over time,” Trellix said. “Being able to compare the multiple assessment results in a consistent fashion is critical to seeing if the organization is going in the right direction by reducing cyber risk. Any means for providing guidance as to how to use metrics needs to address the ‘point-in-time’ CSF assessment and also how to properly compare results over a relevant set of point-in-time results.”

Some commenters argued against the inclusion of metrics in an updated framework. “Metrics for cybersecurity improvements are much more of an individual company output than a framework output,” American Airlines wrote. “As written, the NIST CSF, lacking the ‘how’ depth, is not conducive in its present form to be a tool useful to articulate relevant metrics.”

Alignment with other frameworks

The comments were a mixed bag for aligning the CSF with other frameworks, including the NIICS. “If the intent of the framework is to be broad in its coverage, then do not add other frameworks or references,” American Airlines said. “Rather, expand mapping related categories/sub-categories to pertinent documentation.”

AWS said, “We specifically want to highlight the need for alignment with the NIST SSDF [Security Software Development Framework]. References to practices such as secure DevOps can provide significant advantage in implementing multiple CSF functions. The NIST CSF should map its core functions to SSDF practices, instead of adding development environment-related guidelines in core CSF functions. Further, all new NIST resources should include a mapping to NIST 800-53 baselines and a gap analysis.”

CTIA said it favors greater alignment with other resources, particularly cybersecurity supply chain risk management frameworks. “By advocating for a unified federal strategy to C-SCRM and devising strategies that will facilitate harmonization, the NIICS can provide value to the government by reducing unnecessary burdens on industry, encouraging innovation, minimizing confusion and overlap, and reducing administrative burdens on both the federal government and the private sector,” the association said.

Supply chain risk management

Finally, the commenters largely approve of updating the CSF’s supply chain risk management provisions first incorporated in the CSF 1.1 update in 2018. But several of the responses noted that the federal government already has some supply chain risk initiatives that NIST should carefully consider when updating the framework.

CTIA warned that “NIST should approach cybersecurity supply chain risk management (C-SCRM) with caution. Supply chain issues are important to cyber risk management but are already subject to extensive work by multiple other agencies. NIST should refresh the CSF’s Informative References and mappings to ensure that an Updated CSF reflects the robust treatment of C-SCRM issues that has developed in many venues since the release of CSF 1.1.”

“We encourage NIST to take a more forward-looking and inclusive view of the Administration’s supply chain security work-streams and how best to update these,” Trellix said. “Supply chain security has been a very active topic across multiple agencies and industry efforts. Focusing only on the work done at NIST robs NIST and the CSF community of all the great work that has occurred within other efforts.”