Updated NIST Cybersecurity Framework Places Greater Emphasis on Governance

The Cybersecurity Framework (CSF) developed in 2014 by the National Institute of Standards and Technology (NIST) has proved quite valuable. It is organized according to five key, easily understandable Core Functions: Identify, Protect, Detect, Respond, and Recover. Now there is a sixth: Governance.

Governance was an element of each of the original Functions, but NIST decided that it needed greater emphasis, so it is identified as a standalone Function in Version 2.0, which was released in late February. NIST wants Governance to be a greater point of emphasis and more visible because it often is lacking in firms’ cybersecurity procedures—which we see often in our clients. Truth be told, Governance usually is the most overlooked aspect of cybersecurity.

Governance largely entails policies and procedures needed to achieve a strong cybersecurity posture. Governance should reflect senior management’s vision regarding risk management. It should also identify key roles and responsibilities within the organization pertaining to cybersecurity and contain a plan for responding to cyberattacks if they occur.

Regarding the incident-response plan, it is not a “check-the-box” exercise. Even when organizations develop such a plan, it often is placed on a shelf, never to be opened again. This is a mistake. Incident-response should be reviewed and exercised at least annually, though semiannually would be better. They should also be revised any time an incident occurs to document what was learned from the event. Unfortunately, organizations often lack appropriate resources and expertise to know how crucial it is to conduct after-action reviews. (In those cases, a third-party consulting firm like MCP can be of great service.)

Another often-overlooked aspect of risk management concerns supply-chain management, which is also a mistake. A lot can go wrong if suppliers operate unchecked or if they aren’t vetted properly. Here’s an example: Let’s say that your organization has ordered new servers. Are they being delivered directly from a well-known and well-respected supplier like Cisco or Dell, or were they procured from a third-party vendor? If the latter, and the servers are manufactured and shipped from a country known for cyberattacks, they might contain malware—and you won’t know it until it’s too late.

The following are additional supply-chain management questions that every organization should be asking to enhance their cybersecurity posture:

• Do you know what the cybersecurity posture is at each of the suppliers and vendors with which your organization interacts?
• Are supplier/vendor activities within the facility closely monitored? For example, vendor personnel may leave ports open after conducting routine maintenance, which provides cyberattackers with an easily accessible path into the organization’s networks and systems. Once inside, they can navigate undetected for months, looking for vulnerabilities to exploit and valuable data to steal.
• Do you have controls in place to ensure individual accountability by associating each authenticated login uniquely to a specific user and prohibiting the use of shared or group accounts?
• Are access controls in place that limit supplier/vendor personnel access to equipment rooms? If supplier/vendor personnel are allowed to enter equipment rooms, are they escorted? Is a video-surveillance system in place?
• Is access to networks and systems restricted, or are supplier/vendor personnel allowed to roam freely?
  • A corollary aspect of this concerns the principle of least privilege, which limits the organization’s personnel access only to the specific networks, systems, applications, and data that are necessary for them to perform their roles.

As outlined in the updated NIST standards , Governance is vitally important to cybersecurity. It’s also challenging to achieve, especially if resources and expertise are limited. Our team of cybersecurity experts would love to help you navigate the challenges—please reach out.

Jason Franks is an MCP cybersecurity specialist. Email him at JasonFranks@MissionCriticalPartners.com.