Analysis of latest NIST cybersecurity framework

Lots of people pay attention to the Cybersecurity Framework from the National Institute of Standards and Technology. NIST came out with a major update recently.

Lots of people pay attention to the Cybersecurity Framework from the National Institute of Standards and Technology. NIST came out with a major update recently. The first such update since 2018. For an analysis of what’s changed, the Federal Drive with Tom Temin spoke with attorney Lance Taubin, senior associate on the Cyber and Data Team at Alston and Bird.

Interview Transcript: 

Tom Temin And you’ve been following NIST’s standards and advising people for some time now on cyber issues. Just briefly, what is the framework all about and what is new in the latest version?

Lance Taubin So our thanks Tom. So, the framework is really a holistic standard that previously was geared towards critical infrastructure organizations, but now has changed. And one of the key changes is to more broadly apply to all organizations. And it’s a framework to help organizations build out their cybersecurity programs. And they’ve used five core functions previously. And then I’ve added a sixth. But the five core functions were identify, protect, detect, respond and recover. And now they’ve added a sixth core function governance, which is one of the major changes, which we can go into. But essentially the cybersecurity framework is truly a holistic standard that organizations can use to implement a cybersecurity program.

Tom Temin Right. And to have an actual cybersecurity program, you need to refer to other NIST documents such as Special Publications 800 series. But this.

Lance Taubin Is it’s kind.

Tom Temin Of the framework under which all of those operate.

Lance Taubin That’s precisely right, Tom. There are a number of different standards and special publications that they’ve issued. NIST 800-53 for, you know, federal contractors, 800-171 risk assessments, 800-30. So, there’s many others.

Tom Temin All right. So now the new framework is out. What do people need to know. You mentioned the addition of obviously you want to detect and mitigate cybersecurity attacks. Sounds like governance is what they’re adding.

Lance Taubin Governance is a huge, huge addition here. And it actually is very much in line with how other regulators and kind of the general zeitgeist has felt about cybersecurity. Now, the addition really emphasizes the importance of cybersecurity as one core component of an organization’s broader enterprise risk management strategy. So, it’s not executives, C-suite board, members should not just be, you know, considering financials and reputation and intellectual property, you know, all other categories as key enterprise risks. But now also, should be, considering cybersecurity, the governance function encompasses roles and responsibilities, duties, the authority, policy oversight, and kind of just a broad understanding of context within the organization or risk management.

Tom Temin And to add then this idea of risk management to the higher levels of an organization that seems to maybe indicate that the importance and the risk and the severity of what’s happening in cybersecurity has gotten worse. It’s not just an annoyance so much anymore as a real cost.

Lance Taubin That’s right. And I’m sure, you know, you and your listeners will, you know, be sifting through radio and the news every day and see a new incident, data breach, cybersecurity incident that, you know, a whole host of different types of companies. And, and it is a very real escalating risk. The threat landscape is evolving. And they the threat actors and criminals seem to be, just 1 or 2 steps ahead of us. And it is truly an enterprise risk.

Tom Temin We’re speaking with attorney Lance Taubin of Alston and Bird. And you also mentioned that there seems to be a mechanism across government for this idea of governance and high-level attention to cyber because of the FCC’s new cybersecurity disclosure rule. And we’re seeing that disclosure rule idea pop up all over the place. And so, there’s this is of a piece, you might say, that’s right.

Lance Taubin That’s right. So I think between, the SEC new cybersecurity disclosure rule, which does, you know, emphasize and stresses the increased involvement of executives and or directors, in cybersecurity, both for disclosing material cybersecurity incidents under, you know, via form 8-K and for the organization’s quarterly, 10-K disclosures, which, you know, in fact, literally hot off the press. Yesterday, the SEC issued a statement about, a case. And, I won’t get into that, but another interesting statement about issuing disclosures about secure cybersecurity incidents under item 105 or item 801. Adding some. But not just the SEC. We’ve seen the New York Department of Financial Services, issue a recent amendment to their cybersecurity regulation. NIST is a really, a leading regulator. That in the cyber space that many other regulators, both on the state side and federal side, have seem to follow. And in that amendment, they’ve also, highlighted and stressed the importance of escalating cybersecurity to the senior management and the board level.

Tom Temin And do you sense that this requirement or this recommendation for governing cyber will make its way into federal contracting requirements, because there are similar types of things making their way into contracts?

Lance Taubin I do I it’s only a matter of time before these, these requirements make their way into federal contracts. It will be interesting, though, to see, to what extent and how granular, how detailed those requirements will be. So, I think the devil’s in the details, and the jury’s still out on that one.

Tom Temin In the meantime, then, whether it’s a requirement in contract or not, if it’s good policy, if it’s a good practice to have that kind of governance, what do companies need to do differently? Contractors. Because it’s already a requirement for federal agencies to consider this at the highest levels.

Lance Taubin That’s right. So, I think the difference really comes in to making sure that they are regularly reviewing the cybersecurity program through risk assessments, their cyber security policies, making sure that they are up to date on the evolving threat landscape and the new cyber risks, because those are truly changing on a daily basis. This is no longer just information security specific or an information technology specific issue. This is an enterprise issue that everyone across the enterprise, whether it’s H.R. and I believe, there’s a specific, subcategory within the new framework for H.R., very specifically focusing and prioritizing cyber security. So, it’s really not just for technical folks. It is an enterprise-wide focus. And then of course, that has to go, you know, to the top levels of management to ensure that they are, setting the priorities and setting the agenda of where they want to take the cybersecurity program and ensure that all cybersecurity risks cybersecurity program is, in fact, they’re up to date on those issues. And I think one really important aspect is there’s a there’s a statement within the new framework about allocating necessary resources for cybersecurity. Organizations should not take that lightly. Understanding this is a cost, and it’s not generally considered a revenue driver, although it can be considered a revenue driver. But I do think that’s an important aspect obviously, which you know, comes gets to the higher, you know, board and senior management levels.

Tom Temin And somehow this seems to relate also to the supply chain issue. Since people are so tightly tied in with their suppliers, at least their primary suppliers, that am I seeing a link here that doesn’t exist, or could that be part of the ecosystem that’s developing?

Lance Taubin I think that’s right. Tom. Assist the focus on the supply chain, risk management and security is definitely an enhancement and a change in this framework. The technology relies on a complex, globally distributed, interconnected ecosystem of vendors and, and across, you know, so many different levels of outsourcing that it would be foolish to ignore the supply chain risks. And, you know, it is really just, I think the framework really wants the organizations to have an increased focus on this. I mean, we saw this last year, which is, you know, there’s still some lingering issues and litigation going on, but with the, move it transfer security incident where, you know, thousands of organizations and millions of individuals were impacted by a, you know, secure file transfer application that was provided to, to many, many, many different organizations. And then they had, you know, third parties that they were providing it to. So, it was a downstream effect.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories