NRI SecureTechnologies, Ltd. | Blog

NIST CSF 1.1: Key Updates and Why They Matter

Written by NRI Secure | Feb 28, 2024 3:00:00 PM

The NIST Cybersecurity Framework (CSF) is a set of guidelines developed by the National Institute of Standards and Technology (NIST) to help organizations manage cybersecurity risk. Its creation was directed by an executive order issued by President Obama in February 2013, and NIST gathered input from government and private sector entities during its development.

Commonly known by its abbreviation, CSF (Cyber Security Framework), it is widely referenced even outside the US; many companies and organizations in Japan, for example, use it as a guide to improve their cybersecurity measures.

The framework's official title is the "Framework for Improving Critical Infrastructure Cybersecurity." The first version (Version 1.0) was published in February 2014; an updated version (Version 1.1) was released in April 2018. This article will cover the fundamentals of the NIST CSF, focusing primarily on the features of NIST CSF Version 1.1.

On February 26, 2024, the National Institute of Standards and Technology (NIST) officially released version 2.0 of the NIST Cybersecurity Framework (NIST CSF). For more details about the latest version, please see below.

 

Key Features of the NIST CSF

When compared to other prominent frameworks, the NIST CSF is recognized for several key features: it specifically focuses on addressing cyberattacks, its requirements are generalized for broad applicability across diverse organizations, it employs a risk-based approach, and the framework itself is freely available. These characteristics have contributed to its growing adoption by companies and organizations worldwide.

The following table provides a comparison with NIST CSF and other well-known frameworks such as ISMS, CIS Controls, and PCI DSS.

 

Framework Key Characteristics Target Audience Content / Description
CSF (NIST_2014 Initial Version) Stronger on Organizational Aspects, Focused on Cyberattack Countermeasures For Critical Infrastructure • Primarily focuses on cyberattack countermeasures.
• Requirements are general to allow for wide adoption.
ISMS (ISO/IEC_2005 Initial Version) Stronger on Organizational Aspects, Broader Information Security Scope Industry-Agnostic • Primarily focuses on verifying overall information security measures.
• Lacks sufficient coverage for incident response.
CIS Controls (SANS_2009 Initial Version) Stronger on Technical Aspects, Focused on Cyberattack Countermeasures Industry-Agnostic • Primarily focuses on verifying technical measures against cyberattacks.
PCI DSS Stronger on Technical Aspects, Broader Information Security Scope Industries that handle credit card information • Protection of credit card information.
 

Although its formal name translates to "Cybersecurity Measures for Critical Infrastructure," the NIST CSF offers a comprehensive compilation of cybersecurity best practices and assessment standards, designed for use by organizations of any size or industry to evaluate their security measures.

Components of the NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) consists of three key components: "Core," "Tier," and "Profile." By utilizing these three elements, organizations can more easily conduct gap analyses between their current cybersecurity posture and their target state.

Key Points

  1. Core: A list of cybersecurity measures defined under specific categories.
  2. Tier: A maturity assessment framework for quantifying the level of cybersecurity measures (4 levels).
  3. Profile: The organization's current (As-Is) and target (To-Be) cybersecurity posture.

Now, let's take a closer look at each of these components as defined in NIST CSF version 1.1.

Key Point 1: Understanding the Structure of the Core

First, let's review an overview of the Core. The NIST CSF Core outlines common cybersecurity measures that apply across industries and sectors. Here is a work core configuration we created by based on IPA materials.

 

Function Identifier Category
Identify ID.AM Asset Management
ID.BE Business Environment
ID.GV Governance
ID.RA Risk Assessment
ID.RM Risk Management Strategy
ID.SC Supply Chain Risk Management
Protect PR.AC Access Control
PR.AT Awareness & Training
PR.DS Data Security
PR.IP Information Protection Processes & Procedures
PR.MA Maintenance
PR.PT Protective Technology
Detect DE.AE Anomalies & Events
DE.CM Security Continuous Monitoring
DE.DP Detection Processes
Respond RS.RP Response Planning
RS.CO Communications
RS.AN Analysis
RS.MI Mitigation
RS.IM Improvements
Recover RC.RP Recovery Planning
RC.IM Improvements
RC.CO Communications

 

Each category connects to several subcategories that list specific actions for organizations to consider when putting cybersecurity measures in place. The table below, based on IPA materials, shows how the asset management category relates to its subcategories.

 

Category Subcategory
Asset Management (ID.AM): Identify data, personnel, devices, systems, and facilities that enable the organization to achieve business objectives, and manage them according to their relative importance to business objectives and the organization's strategy. ID.AM-1: An inventory of physical devices and systems within the enterprise is created.
ID.AM-2: An inventory of software platforms and applications within the enterprise is created.
ID.AM-3: A diagram of communication and data flows within the enterprise is prepared.
ID.AM-4: An inventory of external information systems is created.
ID.AM-5: Resources (e.g., hardware, devices, data, software) are prioritized based on classification, criticality, and business value.
ID.AM-6: Cybersecurity roles and responsibilities are defined for all employees and third-party stakeholders (e.g., suppliers, customers, partners).

Key Point 2: Understanding and Measuring the Tiers

One of the main reasons why the NIST CSF is widely supported is its measurability. This is made possible by the role of tiers.

The CSF tiers utilize a 4-level maturity assessment framework to quantify the state of cybersecurity measures.

The four levels of tier evaluation are as follows:

Tier Description Characteristics
1 Partial Cybersecurity risk management is ad hoc and reactive; limited awareness and inconsistent practices.
2 Risk-Informed Risk management practices are approved but not consistently implemented organization-wide; some awareness and planning.
3 Repeatable Risk management processes are formally established, repeatable, and regularly updated; clear understanding across departments.
4 Adaptive Cybersecurity risk management processes are fully integrated and adaptive to changing threats; predictive analysis and continuous improvement.

 

In frameworks that assess maturity, including NIST CSF, it's common for respondents to struggle with determining which level best represents their organization's situation. To avoid confusion, the tiers can be simplified by considering the implementation and operational status of measures. Below is an example of a simplified definition for the 4 levels of tier evaluation.

 

Tier Description Criteria Definition Example
1 Partial Measures Not Yet Implemented
2 Risk-Informed Measures Implemented
3 Repeatable Measures Implemented & Regularly Reviewed
4 Adaptive Measures Implemented & Reviewed in a Timely Manner

 

The NIST CSF framework was designed to be adaptable and flexible to allow for adjustments based on each organization’s specific needs. Therefore, the exact definition of the Tier levels should be discussed and agreed upon within each organization, with relevant stakeholders aligning on how each level is interpreted.

Additionally, the goal of a maturity assessment is not necessarily to achieve the highest level (Tier 4 in CSF). Instead, organizations should set appropriate Tier levels for each category, based on factors like business characteristics and the nature of their information assets.

Key Point 3: Deciding on the Approach to Define Profiles

Unlike the Core and Tier, which are broadly applicable, the Profile is influenced by each organization’s specific characteristics and strategies. As a result, while the NIST CSF offers guidelines for creating Profiles, it does not provide a template. This makes the Profile component a part of the framework that requires creativity and adjustment from cybersecurity professionals.

Profiles are tailored based on the organization's business requirements, risk tolerance, and available resources. They describe the current state (As-Is) and the desired future state (To-Be) of cybersecurity measures.

Using the NIST CSF primarily aims to maintain, strengthen, and improve cybersecurity measures. To achieve this, aligning the metrics for the current state (As-Is) and the target state (To-Be) is crucial.

Here are some practical examples of how NIST CSF profiles can be used:

NIST CSF Core Function Description Current Profile Level (As-Is) Target Profile Level (To-Be)
Identify Develop an understanding of the organization's systems, assets, data, and capabilities to manage cybersecurity risk. Lv2 Lv3
Protect Implement safeguards to ensure delivery of critical services and limit the impact of potential cybersecurity events. Lv1 Lv3
Detect Develop and implement activities to identify the occurrence of cybersecurity events. Lv1 Lv2
Respond Develop and implement activities to take action regarding a detected cybersecurity incident. Lv1 Lv3
Recover Develop and implement activities to restore capabilities or services that were impaired due to a cybersecurity incident. Lv2 Lv3

 

First, it's essential to understand the role of a Profile. The Profile is used to assess the current cybersecurity situation using the NIST CSF and, based on this evaluation, determine the desired level of cybersecurity for the organization.

The goal is not necessarily to aim for Tier 4 but to set a target that reflects the organization's future goals. This involves a comprehensive approach and stakeholder collaboration to reach a consensus on the target level.

Let's consider some specific scenarios to explore this further.

What do we mean by "business requirements"? Defining the exact industry or sector an organization belongs to in today's business landscape can be challenging. For instance, it's common for companies in sectors like telecommunications or retail to expand into the financial industry. Each industry has its standards and regulations, with government oversight being a significant factor. If an organization plans to expand into a new industry, this should be considered when setting the target Profile.

A company that is currently privately held but plans to go public soon will need to establish a management system that meets the standards of a publicly traded company, including cybersecurity controls. This scenario is common among rapidly growing startups approaching an IPO, where security policies must be quickly implemented.

Moreover, even if a company is operating independently, it should also be considered if it plans to expand through new partnerships, joint ventures, or outsourcing. In such cases, the company may need to address specific risk management categories related to supply chain cybersecurity, such as ID.SC.

Features of Version 1.1

The NIST CSF 1.1, updated in April 2018, includes six key points:

Key Points

  1. Clarification of Terminology: This clarifies terms that may have different meanings or interpretations across stakeholders, such as in compliance.
  2. Self-Assessment: Supplemental guidance on self-assessment has been added in Section 4.0, emphasizing practical application.
  3. Significant Strengthening of SCRM: A new category for Supply Chain Risk Management (SCRM) has been introduced in the Core.
  4. Revision of Explanations: Explanations related to authentication, authorization, and identity verification have been refined and expanded.
  5. Enhanced Usage Guidance: Additional information about using Tiers in framework implementation has been added in Section 3.2.
  6. Consideration of Vulnerability Disclosure: New subcategories related to disclosure cycles have been added.

While each of these improvements is an important update, the most notable revision is the significant strengthening of SCRM (Supply Chain Risk Management).

As digitalization advances, the increasing use of cloud technologies, IoT, and the diversification of manufacturing and international operations make threats related to supply chain risks more severe. From the supply chain perspective, managing risks within a single company is not enough; it also involves controlling risks related to suppliers and SMEs.

For more details on the supply chain updates, please refer to Section 3.3 of NIST CSF 1.1: "Communicating Cybersecurity Requirements to Stakeholders."

Figure 7. Cyber Supply Chain Relationship (Source: NIST CSF v1.1)

SecureSketCH's Compliance with NIST CSF

In February 2019, SecureSketCH updated its questions to reflect the NIST CSF Version 1.1, enhancing its compliance with the framework. All SecureSketCH users have automatically been updated to questions compliant with CSF 1.1. The platform will continue leveraging its service model to align consistently with other frameworks.

The "Guideline Check Function" in SecureSketCH allows organizations to analyze and verify whether their cybersecurity measures comply with various global security frameworks, including NIST CSF, CIS Controls, and ISO/IEC 27001 and 27002. Previously, SecureSketCH checked only the specific measures it had defined. With this feature, organizations can cross-reference their cybersecurity levels with multiple guidelines to push forward appropriate security measures tailored to their needs.

By using Secure to cross-reference with various frameworks, users can more efficiently and quickly check compliance and provide explanations to internal and external stakeholders. As part of this effort, we will continue to expand the number of guidelines available for review.

Conclusion

The NIST CSF has been continuously updated since its 2014 draft through collaboration among government, academia, and the NIST. Feedback from thousands of workshop participants helps refine the framework. 

With input from many experts, the CSF stays relevant and comprehensive in addressing cybersecurity measures. Expect regular, practical updates that keep pace with evolving cybersecurity risks.