Newly updated Cybersecurity Framework 2.0 guidance from the National Institute of Standards and Technology (NIST) and its extensions to address the cybersecurity hardening needs of organizations of all sizes and types, not just those working in the field. Much has been written and discussed about. Items related to critical infrastructure.
Published earlier this year, the framework also added a sixth function (governance) to the existing five elements of a successful cybersecurity strategy (identify, protect, detect, respond, and recover).
The governance aspect adds a new dimension to the NIST guidance. Previously, responsibility for cybersecurity strategy rested solely with the chief security officer (CSO) and/or chief information security officer (CISO) and their team. Executive leadership was typically involved only from a budgeting perspective. The addition of governance capabilities enables government and commercial organizations implementing this framework to approach cybersecurity in a more holistic and strategic way, considering everyone from the C-suite to end users at every level of the organization. Masu.
Government functions are also calling on organizations to be more purposeful and proactive in their approach to identifying cybersecurity risks, including those associated with supply chains. This is a particularly challenging area for many government agencies that rely on numerous contractors and partners to achieve their goals. mission goal.
For example, military and civilian agencies within the federal government need to understand not only their own cybersecurity posture, but also the posture of the organizations that are part of their supply chain. Similarly, agencies responsible for the nation's critical infrastructure must constantly manage the cybersecurity maturity of their organizations, such as power and water companies. In many cases, these agencies may not be aware of potential risk areas. After all, you can't protect what you can't see.
As you can imagine, this is a huge and complex task, compounded by the continuing shortage of cybersecurity talent and skills, hitting governments harder than the private sector. Add to that the tight and often reduced budgets allocated to cybersecurity and the continued threat of a government shutdown, and you're wondering why government cyber leaders aren't taking the necessary safeguards required by NIST. I can see that you are nervous about the introduction. The stakes are high, given that the missions of these institutions can directly impact people's lives.
All of this necessitates a strategy that focuses on risks, not just vulnerabilities, and the need to invest in a set of solutions that support an overall strategy that monitors the supply chain's cybersecurity posture while regularly analyzing risks. is shown. Federal cybersecurity teams need tools that help them maintain a complete and up-to-date inventory of hardware, software, services, and systems and identify threats and vulnerabilities.
This goes beyond deploying vulnerability management scanners to monitor risks associated with specific software products or operating systems. As malicious advanced persistent threat actors shift their focus to cloud-based targets, government agencies need to take a broader look at risk areas such as cloud misconfigurations, exposed devices and services, and information leaks. there is.
As agencies continue their efforts to implement NIST's guidance, they should consider the following steps:
— Establish and monitor cybersecurity supply chain risk management strategies, policies, roles, and responsibilities — Including supervision of suppliers, customers and partners. Build requirements into contracts and involve partners and suppliers in planning, response, and recovery efforts while implementing continuous monitoring and checkpoints.
— Regularly analyze and continuously monitor cybersecurity risksas in the case of financial risks.
— Maintain inventory of hardware, software, services, and systems. Understand what computers and software your organization uses, including services provided by suppliers. These are often entry points for malicious actors. This inventory can be as simple as a spreadsheet. Consider including owned, leased, and employee personal devices and apps.
— Identify internal and external threats, vulnerabilities, and risks to assets. Risks need to be identified, assessed and documented. Ensure risk responses are identified, prioritized and executed, and results monitored.
— Device protection and monitoring. Consider endpoint security products and apply uniform configurations to devices. Disable services or features that do not support mission functionality. Configure systems and services to generate log records. Dispose of your device safely.
— Software management and maintenance. Update your operating system and applications regularly. Enable automatic updates. Replace end-of-life software with supported versions. Consider using software tools that scan your device for additional vulnerabilities and remediate them.
— Continuously monitor networks, systems, and facilities to detect potential adverse events. Develop and test processes and procedures to detect indicators of cybersecurity incidents on the network and in the physical environment. Collects log information from multiple organizational sources to help detect unauthorized activity.
— Provide information about adverse events to authorized staff and tools to ensure appropriate incident response measures are taken. Ensures systems, processes and procedures are in place and understood by members of staff who are responsible for taking prompt and effective action to address cyber threats.
There is no perfect cybersecurity framework. However, by using NIST guidelines in conjunction with other frameworks such as Zero Trust, agencies can significantly reduce their overall risk. The NIST Cybersecurity Framework is not a silver bullet, but it is a great starting point for taking a proactive cybersecurity approach to mitigating risk within your organization.
Shunta Sharrod Sanders, Censys Senior Federal Solutions Engineer
