Analysis of the latest NIST Cybersecurity Framework

Tom Temin And you've been advising people on cyber issues following NIST standards for a while now. What is the framework and what's new in the latest version?

Lance Tobin Thank you, Tom. This framework was previously the overarching standard for critical infrastructure organizations, but that has now changed. One of the key changes is that it applies broadly to all organizations. It's a framework that helps organizations build cybersecurity programs. We used to have five core features, but now we've added a sixth. The five core capabilities were: identify, protect, detect, respond, and recover. And now we've added a sixth core feature: Governance. This is one of the big changes and we can explain it in detail. Essentially, a cybersecurity framework is a comprehensive standard that organizations can use to implement a cybersecurity program.

tom temin Right. And to write a real cybersecurity program, you need to look at other NIST documents, like the Special Publications 800 series. But this one.

Lance Taubin Are you kind?

tom temin About the framework within which all this works.

Lance Tobin That's absolutely true, Tom. There are many standards and special publications that NIST has published, including, you know, NIST 800-53 for federal contractors, 800-171 for risk assessment, 800-30, and many more.

tom temin got it. Well, the new framework has been published. What do people need to know? You mentioned additional capabilities to detect and mitigate cybersecurity attacks, and it looks like governance has been added.

lance tobin Governance is a huge addition here. And it's very much in line with how other regulators and the general zeitgeist feel about cybersecurity. This addition emphasizes the importance of cybersecurity as one of the core elements of an organization's broader enterprise risk management strategy. That means that C-suite executives and C-level board members must consider cybersecurity above and beyond just considering all other categories as key enterprise risks, such as financial, reputational, and intellectual property. But the governance function must also include roles and responsibilities, duties, authorities, policy oversight, and a broader understanding of the context within the organization or risk management.

tom temin And adding this risk management mindset to the upper echelons of an organization seems to signal perhaps a worsening of the importance, the risk, the seriousness of what's going on with cybersecurity. It's no longer just a hassle; it's a real cost.

lance taubin That is correct. And I'm sure you and your listeners scour the radio and news every day to see new incidents, data breaches, cybersecurity incidents, and many other types of incidents. companies. And that's a very real and growing risk. The threat landscape is evolving. And they seem to be attackers and criminals who threaten just one or two steps ahead of us. And that's exactly what corporate risk is.

tom temin We've been talking to attorney Lance Taubin of Alston and Bird, and he's also said that with the FCC's new cybersecurity disclosure rules, it seems like there are mechanisms in place across government for this idea of ​​governance and a high level of caution for cyber. And we're seeing that idea of ​​disclosure rules pop up all over the place. So, this is very much the case.

Lance Taubin that's right. The SEC's new Cyber ​​Security Disclosure Rules will improve the cybersecurity of officers and directors, both in the disclosure of material cybersecurity incidents on the 8-K Form and in an organization's quarterly 10-K disclosures, which literally just went to press. It emphasizes strengthening the involvement of Yesterday, the SEC issued a statement regarding one case. I won't go into that, but there was another interesting statement regarding the issuance of a secure cybersecurity incident disclosure under Item 105 or Item 801. I'll add a few more. But it's not just the SEC. The New York State Department of Financial Services recently announced amendments to its cybersecurity regulations. NIST is really the leading regulator in cyberspace that many other regulators on the state and federal side seem to follow. The amendments also emphasize the importance of extending cybersecurity to senior management and board levels.

Tom Temin Also, do you feel that this requirement or this recommendation for managing cyber will be incorporated into federal contracting requirements as similar types of things are incorporated into contracts?

lance taubin I think it's only a matter of time before these requirements are included in federal contracts. However, it will be interesting to see to what extent and in what detail these requirements will be specified. Therefore, the problem lies in the details, and the jury is still out on this point.

tom temin In the meantime, what do companies need to change, whether it's a contractual requirement, whether it's good policy, whether it's good practice to have that kind of governance? Is there? Contractor. Because it is already a requirement for federal agencies to consider this at the highest level.

lance taubin that's right. So I think what makes the difference is whether you regularly review your cyber security program through risk assessments and cyber security policies to stay up-to-date on the evolving threat landscape and new cyber risks. . Because they are changing every day. This is no longer a problem specific to information security or information technology. This is an enterprise-wide issue, everyone across the enterprise, even HR, and the new framework for HR requires a very specific focus and prioritization of cyber security. I think there are subcategories of. So this is not just an issue for engineers. It is the focus of the entire company. And of course, that goes all the way down to the top level of management, setting priorities, setting the agenda for where you want your cybersecurity program to go, making sure that all your cybersecurity risks and your cybersecurity program are actually up to date on those issues. You need to make sure that you have this information. And one of the things that's really important is that there's a statement in the new framework that allocates the necessary resources for cybersecurity. Organizations should not take this lightly. This is a cost and is not generally considered a revenue driver, although it can be considered a revenue driver. But I think this is obviously an important point and it has implications all the way down to the board and senior management level.

Tom Temin And apparently this also relates to the supply chain issue: are you seeing connections here that don't exist because people are so closely tied to their suppliers, at least their major suppliers, or is that part of an ecosystem that's developing?

lance taubin I think so. Tom. His focus on supply chain, risk management and security is definitely an enhancement and modification of this framework. It would be foolish to ignore supply chain risks because technology relies on a complex, globally distributed and interconnected ecosystem of vendors and spans various levels of outsourcing. And I think the framework really wants organizations to put more emphasis on this. So while we saw last year that this problem is still there and lawsuits are continuing, the Move It Transfer security incident left thousands of organizations and millions of individuals in great jeopardy. was influenced by secure file transfer applications offered to many different organizations. And they were providing it to third parties. So it was a downstream impact.