Much has been written and discussed about the newly-updated Cybersecurity Framework 2.0 guidance from the National Institute for Standards and Technology (NIST) and its expansion to address the need for strengthened cybersecurity in organizations of all sizes and types – not just those working in areas related to critical infrastructure.
Issued earlier this year, the framework also added a sixth function (Govern) to the existing five components of a successful cybersecurity strategy (Identify, Protect, Detect, Respond and Recover).
The Govern aspect adds new dimensions to NIST guidance. Before, responsibility for cybersecurity strategies fell solely into the laps of chief security officers (CSOs) and/or chief information security officers (CISOs) and their teams. Executive leadership was generally involved only from a budgeting perspective. With the addition of the Govern function, government and commercial organizations implementing the framework would now approach cybersecurity in a more holistic and strategic fashion – taking into account everyone from executive leadership to the end users at every level of the organization.
The Govern function also calls on organizations to become more purposeful and proactive in their approach to identifying cybersecurity risks, including risks associated with supply chains – an area that is especially fraught for many government agencies that depend on a multitude of contractors and partners to achieve their mission goals.
For example, military and civilian agencies within the federal government need to understand not only their own cybersecurity postures but also the postures of the organizations that are part of their supply chains. Similarly, agencies responsible for the nation’s critical infrastructure have to maintain a handle on the cybersecurity maturity of entities such as electric or water companies. In many cases, these government organizations may not even be aware of potential risk areas. After all, you can’t protect what you can’t see.
As you might imagine, this is a huge and complicated task, compounded by the ongoing shortage of cybersecurity workers and skills, which has hit the government even harder than the commercial sector. Add to that the issues of tight and often reduced budgets allocated for cybersecurity as well as the continual threat of government shutdowns, and you can see why government cyber leaders are feeling strained to put in place the needed safeguards NIST calls for. The stakes are high, given that these agencies’ missions can directly impact the lives of citizens.
This all points to the need for a strategy focused on risk, not just vulnerability, and investment in solution sets to support an overall strategy to monitor the cybersecurity posture of supply chains while analyzing risk at regular intervals. Federal cybersecurity teams need tools to help them maintain a complete and up-to-date inventory of hardware, software, services and systems and to also identify threats and vulnerabilities.
This goes beyond the deployment of vulnerability management scanners that monitor risk associated with certain software products and operating systems. With malicious advanced persistent threat attackers switching their focus to cloud-based targets, government agencies need to look at more broadly at risk areas such as cloud misconfigurations, exposed devices and services and information leakage.
As agencies continue to push forward in their efforts to implement NIST’s guidance, they should consider the following steps:
— Establish and monitor cybersecurity supply chain risk management strategy, policy, roles and responsibilities — including for overseeing suppliers, customers and partners. Incorporate requirements into contracts, and involve partners and suppliers in planning, response and recovery efforts while implementing continuous oversight and checkpoints.
— Analyze cybersecurity risks at regular intervals and continuously monitor them, just as you would with financial risks.
— Maintain inventories of hardware, software, services, and systems. Know what computers and software your organization uses, including services provided by suppliers — as these are frequently the entry points of malicious actors. This inventory could be as simple as a spreadsheet. Consider including owned, leased and employees’ personal devices and apps.
— Identify internal and external threats, vulnerabilities and risk to assets. Risks should be identified, assessed and documented. Ensure risk responses are identified, prioritized and executed, and that results are monitored.
— Protect and monitor devices. Consider endpoint security products, and apply uniform configurations to devices. Disable services or features that don’t support mission functions. Configure systems and services to generate log records. Ensure devices are disposed of securely.
— Manage and maintain software. Regularly update operating systems and applications; enable automatic updates. Replace end-of-life software with supported versions. Consider using software tools that scan devices for additional vulnerabilities and remediate them.
— Monitor networks, systems and facilities continuously to find potentially adverse events. Develop and test processes and procedures for detecting indicators of a cybersecurity incident on the network and in the physical environment. Collect log information from multiple organizational sources to assist in detecting unauthorized activity.
— Provide information on adverse events to authorized staff and tools to ensure appropriate incident response actions are taken. Ensure systems, processes and procedures are in place and understood by staff members responsible for taking quick and effective action to address cyberthreats.
No cybersecurity framework is perfect. But by embracing the guidelines from NIST alongside other frameworks such as zero trust, government agencies can reduce their overall risk significantly. While not a silver bullet, the NIST Cybersecurity Framework represents an excellent starting point to taking a proactive cybersecurity approach to reducing risks within an organization.
Shunta Sharod Sanders, Senior Federal Solutions Engineer at Censys