The U.S. National Institute of Standards and Technology (NIST) released the first version of its Cybersecurity Framework (PDF) in 2014. It was originally designed for use by the U.S.'s critical infrastructure sectors to help them better manage cybersecurity threats. As for the enterprises and small businesses that make up the bulk of the U.S. economy? NIST's CSF had less to say about their needs.
That’s why NIST has been hard at work in recent years revamping the framework to serve the vast majority of organizations that operate outside of the critical infrastructure sector. Now, a full decade later, that effort has borne fruit. In February, NIST released CSF 2.0, which addresses its shortcomings in previous versions — and adds significant new guidance on software supply chain security (SSCS).
RL recently hosted a webinar with subject matter experts that include a former CISO, a seasoned threat hunter — and a representative from NIST to discuss why CSF 2.0 is essential, how it can better serve software supply chain security efforts, and how it can be used practically. Here are key takeaways from the panel discussion.
[ See Webinar: Breaking Down CSF 2.0 | Special: NIST CSF 2.0 and C-SCRM for SSCS Risk Management ]
Governance: A new function for a new era of SSCS
Nakia Grayson, IT Security Specialist at NIST, gave an overview of CSF 2.0. during the RL webinar, and stressed that there are several factors that make this version of the document different from its predecessors. This includes the framework's attention to how enterprises can best manage cybersecurity risk.
This difference can be seen when comparing the core functions of CSF 1.1 (released in 2018) vs. 2.0. NIST believes that these core functions are meant to be used by entities to “organize cybersecurity outcomes at their highest level.” Prior to CSF 2.0, the core functions of CSF were Identify, Protect, Detect, Respond, and Recover.
Each of these functions covers vital components of cybersecurity that all companies should be thinking about. But in the context of the modern threat landscape, CSF 1.1 did not offer companies a roadmap for how these functions can be managed collectively to handle all kinds of risk.
This is where CSF 2.0 comes in. While the original five core functions remain in this latest version of the framework, a sixth core function, “Govern,” was added to the list. Grayson said Govern supports “a view for managing cybersecurity risk” that embodies cybersecurity supply chain risk management (C-SCRM), a NIST program also supported by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Grayson said the Govern function was added to manage modern cyber risk.
“C-SCRM is major for a number of companies. [It’s] important to see risk throughout the supply chain.”
—Nakia Grayson
The CISO’s POV
Saša Zdjelar, Chief Trust Officer at ReversingLabs and former CISO for ExxonMobile, applauded NIST’s inclusion of the Govern function in CSF 2.0, noting that it brings the concept of governance front and center for organizations. Zdjelar stressed that for many companies, getting to a robust level of governance can be hard. NIST CSF 2.0 bolsters the importance of software supply chain security and makes getting to this level easier for organizations.
The rollout of CSF 2.0 comes at a time where the most consequential software supply chain attacks are targeting more than just open source software. This is why Zdjelar believes that companies should look to CSF 2.0 to better prioritize a recurring target.
“All of the most major software supply chain attacks have one thing in common: commercial software was targeted.”
—Saša Zdjelar
In citing just a few of the major software supply chain incidents from the past few years, including Kaseya, MoveIT, and SolarWinds, Zdjelar made the case for why organizations should begin taking governance seriously. He said they need to manage risk coming from the all software in use in their organization — proprietary, open source and commercial.
Putting the framework into action
As an overarching framework for C-SCRM generally, CSF 2.0 is a step in the right direction. However, it’s important to remember that while the threats posed to today’s software supply chains are real, it can be hard for companies to prioritize them when worrying about the short term needs of their business.
John Bambenek, President of Bambenek Labs, who has spent much of his career as a threat hunter and working amongst security practitioners, stressed that while they would find the concept of governance “interesting,” there are still obstacles in the way of the new function's practical adoption.
“There is a general reluctance to implement anything that slows down business.”
—John Bambenek
Despite this reluctance among businesses, Bambenek said he believes that CSF 2.0 as a framework has great potential in helping businesses understand that addressing software supply chain threats is pertinent to their overall needs.
"[Software supply chain risk is] not just an IT problem, but a business problem.”
—John Bambenek
To make CSF 2.0 practical and beneficial for all kinds of organizations, Bambenek said practitioners need to commodify the framework in a format similar to a SOC 2 report, for example. He believes that this will present the CSF’s core functions in a way that can be audited, so that all kinds of companies – whether small or large; a software producer or a buyer – can make sense of these C-SCRM standards in a practical way.
[ See expert panel discussion: Breaking Down NIST CSF 2.0 ]
Article Link: How NIST CSF 2.0 and C-SCRM help manage software supply chain risk