NIST Cybersecurity Framework Updates Emphasize Supply Chain, Metrics

4.24.2017 | David Damato

The revised NIST Cybersecurity Framework includes two key changes: expanded details on cyber supply chain risk management, and a new section on cybersecurity metrics and measurement. Tanium CSO David Damato explains why these updates matter for businesses, and where we see room for further improvement.

The National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, first released in 2014, has become widely popular with businesses and government agencies alike, largely due to its voluntary, risk-based, non-one-sized-fits-all nature. In January 2017 the Framework received its first significant – and much-needed – update, and comments from the public were due April 10.

By 2020, 50% of all US organizations will use the Framework, predicts research firm Gartner. Organizations use the Framework to assess their cybersecurity posture, set goals and develop a cybersecurity program aligned with their unique risks and business objectives. The revised version includes two key changes: expanded details on cyber supply chain risk management, and a new section on cybersecurity metrics and measurement.

NIST framework: Addressing cybersecurity in supply chain management

Given the interconnected nature of our world, it’s no longer good enough for organizations to be responsible for only their internal security. They must be aware of security across their entire supply chain, since any partner could unknowingly offer a point of entry into the organization. The updated Framework gives organizations a common vocabulary for communicating cybersecurity requirements to buyers, suppliers and other partners. They can enact these requirements through contracts, and then verify whether they have been met—all using a common, risk-based Framework.

It’s hard to understate the importance of incorporating cybersecurity into supply chain management. Many businesses and government organizations contract with dozens and even hundreds of suppliers who often have extensive access into their network. A federal agency seeking to upgrade its IT, or a business seeking a cloud provider, can now indicate their security needs in a standardized manner. The Framework is also a common foundation for many regulatory agencies; now that it accounts for supply chain risk management, it becomes even more effective.

NIST Framework: Establishing cybersecurity metrics

Even more important is the new section on measuring cybersecurity, which was notably missing from the original draft. If done right, measuring cybersecurity is one of the most meaningful changes we can make to improve cybersecurity on a wide scale. A common set of metrics would allow businesses to work toward common quantifiable targets. Eventually, with the right incentives, such metrics could allow them to assess their risk relative to similar organizations. It would make cyber insurance a much more effective option than it is now by allowing insurers to standardize premiums. And it would help the government create effective policies and strategies backed by real-world data.

In this draft, metrics are defined to include “Implementation Tiers, Subcategories and Categories.” Although these components of the Framework can be used by organizations to make informed decisions, the Framework still lacks guidance on how to measure performance in a standardized way or assess the effectiveness of cybersecurity activities.

While the strength of the Framework comes from its not being one-size-fits-all, there are still certain core metrics all organizations should know – or, at least, work toward knowing – both for internal planning and comparison among peers. Now is the time for NIST to work with industry and government agencies to agree on these core metrics and publish them, whether within the Framework or in a separate document.

Of course, for such metrics to be meaningful, organizations must be operating on timely data from reliable and authoritative systems of record. Doing so is still a challenge for many organizations. While NIST recognizes that “the accuracy and precision of the measurement systems” affects the ability of organizations to correlate cybersecurity with business outcomes, this point must be underscored. An accurate and timely system of record is foundational to any measurement efforts.

The Framework has already helped organizations establish a foundation to manage risk. Now it must focus on applying this same rigor to measuring risk.

Read more from the Tanium executive blog:

About the Author: As Chief Security Officer, David Damato provides strategic product direction over module development for the Tanium Platform and manages the company’s internal security program. David brings a wealth of security expertise to Tanium, spanning incident response and forensics, vulnerability assessments, security program development, security operations and network and security architecture. Prior to Tanium, David most recently served as Managing Director at Mandiant, a FireEye company, where his team led incident response and post-breach remediation efforts at over 100 Fortune 500 companies. At Mandiant, David was also instrumental in developing new incident response services capabilities and establishing consulting offices both domestically and internationally. Prior to Mandiant, David led security consulting teams at PwC as part of its Washington Federal Practice and held IT roles at Raytheon focused on the management of internal and government networks. David frequently shares his expertise and insights at industry events and with the media.