The National Institute for Standards and Technology released an update to its Cybersecurity Framework (CSF) late February. The CSF was originally created in 2014 to help critical national infrastructure combat cybersecurity threats.
Though it doesn’t directly translate to requirements for financial institutions, the framework does heavily influence the guidance by financial regulators via the Federal Financial Institutions Examination Council (FFIEC). So, we can anticipate changes to this framework will influence guidance and focus by examiners.
Here are key changes to the framework:
- One of the biggest criticisms of the framework has been its focus on critical national infrastructure, such as hospitals and power grids, which doesn’t scale down very well to smaller businesses. This update has toned back the scale and technical and federal jargon to make it more universally applicable.
- Expanding the emphasis on governance. Previously, there was a governance control is each of the five domains: Identify, Protect, Detect, Respond and Recover. It has been broken out into its own domain and is shown as a circle inside the ring of the five domains to show it applies to each step.
Some of the biggest issues and failures I’ve found with cybersecurity programs boil down to the lack of governance. It drives a disconnect between management and Information Technology (IT) which leaves risks uncovered or unmitigated. Bridging this gap is a large part of our role as Information Security Offers (ISO) because it really ensures the soundness of the program and enables good decisions.
- New resources are available to walk through implementation in various situations. These are brief documents, very similar to slides which ask guiding questions in plain English. This is very exciting as even the most skilled IT or risk management professionals had trouble deciphering the CSF. Here’s a link to the small business example: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1300.pdf
- Better communication of what the controls mean via implementation examples. These are much more helpful than the previous subcategories and informative references. A subcategory may have been something like “Notifications from detection systems are investigated” rather now it’s a full description such as “Determine a process to track and manage contractual requirements for cybersecurity management of supplier, customer, and partner information.”
- Respond and Recovery domains were completely overhauled. These domains were really kind of vague before in that the controls were difficult to map to what we would do in an incident and that is now much more aligned. I’m imagining that since the CSF was published in 2014, we have had emphasis on resilience, which is what these domains are all about. So, I imagine these updates are reflective our experience, especially that in ransomware.
What should you do as a financial institution because of this update? Don’t aim to fully comply with the CSF 2.0, it’s still broader in scope than FFIEC, rather use it as a reference and benchmark in your security strategy. As ISOs it could be very worthwhile to review the new governance domain and see if there are any gaps in your approach.
The addition of community profiles can also be very helpful in determining your gaps and target state. There is a profile out there specifically for the financial services industry, which points to the Cyber Risk Institute’s profile, and I’ve heard a lot of good things about this tool. Here’s the link: https://cyberriskinstitute.org/the-profile/.
I hope that this update to the CSF can help solve some of the complexity in managing cyber risk and understanding what is truly important. I’m excited about the emphasis on governance and risk management, from which I’ve seen a lot of improvement in in programs and getting all stakeholders on the same page. I hope it can be helpful to you too.
If you need help implementing better governance in your program, we can help! Contact us at support@bedelsecurity.com.