[co-author: Ryan Thompson]

In the past month, the National Institute of Standards and Technology (NIST) has issued a draft update to its flagship cybersecurity framework as well as new standalone guidance on how organizations can plan to recover from cybersecurity events. The publication of these documents demonstrates NIST’s ongoing focus on providing substantive guidance to the private and public sectors alike on cybersecurity risk management. In this post we summarize the highlights of each of these new NIST publications.

Cybersecurity Framework Update

On January 10, 2017, NIST issued draft version 1.1 of its Framework for Improving Critical Infrastructure Cybersecurity (Framework).  Since its initial release in February 2014, the Framework has become an important benchmark for corporate cybersecurity programs. The latest draft reflects NIST’s efforts to incorporate feedback received since version 1.0’s release, including over 100 comments received in response to NIST’s December 2015 Request for Information and over 800 comments provided at an April 2016 workshop.

Notable changes to the Framework include the following:

• Supply Chain Risk Management. Draft version 1.1 adds cyber supply chain risk management considerations throughout the Framework, including a new section 3.4 on “Buying Decisions” and a new category under the Framework Core’s Identify function with five subcategories:
  • ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders
  • ID.SC-2: Identify, prioritize and assess suppliers and partners of critical information systems, components and services using a cyber supply chain risk assessment process
  • ID.SC-3: Suppliers and partners are required by contract to implement appropriate measures designed to meet the objectives of the Information Security program or Cyber Supply Chain Risk Management Plan
  • ID.SC-4: Suppliers and partners are monitored to confirm that they have satisfied their obligations as required. Reviews of audits, summaries of test results, or other equivalent evaluations of suppliers/providers are conducted
  • ID.SC-5: Response and recovery planning and testing are conducted with critical suppliers/providers
• Metrics and Measures. Draft version 1.1 includes a new section 4 on “Measuring and Demonstrating Cybersecurity” that describes how metrics and measures can guide cybersecurity risk management and correlate with business results.
• Identity Management and Access Control. The Framework Core’s Protect function includes a renamed Identity Management and Access Control category with changes to three subcategories:
  • PR.AC-1 (revised): Identities and credentials are issued, managed, revoked, and audited for authorized devices, users, and processes
  • PR.AC-4 (revised): Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
  • PR.AC-6 (new): Identities are proofed and bound to credentials, and asserted in interactions when appropriate
• Implementation Guidance. NIST has expanded the Framework’s explanation of how organizations can make use of Framework Tiers during implementation and how to integrate Framework considerations into overall risk management activities. NIST also added a reference to Special Publication 800-160, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, as part of a discussion on how organizations may use the Framework in the design phase to address cybersecurity requirements.

The updated draft includes other changes throughout. Overall, draft version 1.1 adds eight new subcategories and revises six other subcategories within the Framework Core. NIST invites comments on draft version 1.1 through April 10, 2017, with a focus on seven specific questions; comments may be submitted by email to cyberframework@nist.gov. NIST notes its intent is to publish a final version 1.1 by fall 2017, following review of comments received and convening another public workshop on the Framework.

Guide for Cybersecurity Event Recovery

On December 21, 2016, NIST issued Special Publication 800-184, Guide for Cybersecurity Event Recovery (NIST SP 800-184). The document provides detailed guidance regarding how organizations can improve their plans, processes, and procedures aligned with the Framework’s Recover function. NIST notes that given the shift to a mindset where the question is not “if,” but “when” cybersecurity events will occur, it is helpful for organizations to build out their recovery capabilities with that reality in mind. This document is intended to help organizations focus on recovery planning alongside their existing plans for cybersecurity incident response and business continuity / disaster recovery.

Following a cybersecurity event, NIST recommends that organizations proceed with recovery in two phases:

1. The tactical recovery phase focuses on minimizing the disruption caused by the cybersecurity event and promptly returning the organization to full functionality. This phase is accomplished largely through the use of a recovery “playbook” covering three stages: Initiation, Execution, and Termination.
2. The strategic recovery phase focuses on deriving lessons learned from a cybersecurity event and implementing tools, policies, and procedures to help prevent a similar attack from occurring in the future. Implementing a strategic approach towards evaluating and improving preparedness allows organizations to bolster cyber resiliency as well as the effectiveness of future response and recovery procedures.

NIST SP 800-184 provides an in-depth discussion of how organizations can draft tailored “playbooks” that can be used in the event of a cybersecurity event. Drafting a recovery playbook requires a careful assessment of various organizational elements, such as departments, personnel, stakeholders, communication channels, processes, business function priorities and dependency maps, technology assets, legal and regulatory issues, and potential recovery metrics. NIST notes that cybersecurity event recovery is rarely a “one-size-fits-all” approach: organizations are as varied as the cyber tools used to attack them. For example, response and recovery procedures are executed concurrently, and coordinating efforts between response and recovery teams, along with many other internal and external stakeholders that may be involved in incident response, can be a complex process with overlapping considerations and goals (e.g., collecting forensic evidence may delay the recovery of a piece of hardware back to a functional state). NIST includes as an appendix a checklist of elements that may be included in playbooks.

NIST SP 800-184 also provides example playbook responses to two common cyberattack scenarios:  data breach and ransomware. In both cases, the result is the disruption of business functions, but the document highlights how an organization’s approach to response and recover from those disruptions may differ. The document also includes guidance on metrics that may inform and improve the recovery process over time, as well as guidance on root cause remediation that appears novel in expanding the Framework’s discussion of Response and Recover function activities.

Actions to Take Now

The focus and content of NIST’s recent publications suggest a few actions that organizations prudently undertake, including:

• Generally speaking, review the draft framework updates for any changes that would be impractical to implement or could be framed more effectively, and plan for any significant concerns to be relayed to NIST before the end of the comment period.
• In light of the focus on supply chain security risk management in the draft update to the Framework, review your organization’s efforts in this regard to understand any significant gaps to what may be incorporated into the next formal version of the Framework. Particularly for suppliers of components or services that may be the subject of scrutiny by buyers who will be even-more focused on such risks, it may prove very helpful to review and update the elements of your own cybersecurity risk management program so that you can be responsive to new expectations and enhanced oversight.
• While measurement of the efficacy of an organization’s cybersecurity program continues to be a challenge, review the draft Framework updates on “metrics” to confirm that your organization understands and is prepared to incorporate relevant and appropriate elements of the Framework’s new content on this issue.
• With respect to the new NIST guidance on event recovery, review and confirm that your organization’s incident response and business continuity/recovery plans pick up and incorporate any helpful elements.  Note that this publication includes language in Section 2.3.4 on “Root Cause and Containment Strategy Determination,” which appears to introduce new guidance regarding root cause remediation (including guidance on assessing adversary objectives, motivations, tactics, techniques, and procedures) beyond the elements previously outlined within the Framework’s Response and Recover functions.

* * *

Together, these documents signal the United States government’s ongoing substantive focus on the Framework as a vehicle for communicating cybersecurity risk management expectations. As previously noted, organizations are advised to pay close attention to these developments; although these NIST guidance materials are “voluntary” for the private sector, their publication has a government imprimatur and the Framework has received significant attention in regulatory circles (such as the FTC’s blog post aligning its data security enforcement with the Framework).