Articles

NIST Cybersecurity Framework update comments highlight a gamut of…

Better metrics, implementation guidance, and alignment with other frameworks are high on the list of suggested improvements to the NIST CSF.

In late February, the National Institute of Standards and Technology (NIST) issued a request for information (RFI) to evaluate and enhance its Cybersecurity Framework, or CSF, first produced in 2014 and last updated in 2018. Many developments in the swiftly changing cybersecurity field prompted NIST to revisit its complex and well-received template designed to help organizations best manage cybersecurity risk.

In its RFI, NIST asked a series of questions about how to improve the use of the framework. Among those questions are whether the framework allows for better risk assessments and management of risks, what relevant metrics might be used to measure the framework’s impact, and what challenges organizations face in using the framework. NIST also asked how to better align or integrate the CSF with other NIST resources, such as the NIST Risk Management and Privacy Frameworks. Finally, NIST asked how it could help identify supply chain-related cybersecurity needs and harmonize the National Initiative for Improving Cybersecurity in Supply Chains (NIICS) with the CSF.

This article appeared in CSO Online. To read the rest of the article please visit here.

Image by Pete Linforth from Pixabay

 

Articles

NIST seeks information on updating its Cybersecurity Framework

Security community welcomes the update, but a U.S. GAO report cites slow adoption among government.

As it begins planning to revise its widely praised Cybersecurity Framework (CSF), the National Institute of Standards and Technology (NIST) has requested that interested parties supply comments on how NIST can improve the effectiveness of the CSF and its alignment with other cybersecurity resources. NIST’s last update of the framework, first released in 2014 under an executive order issued by President Obama, was in 2018.

“There is no single issue driving this change,” NIST Chief Cybersecurity Advisor Kevin Stine said in a statement. “This is a planned update to keep the CSF current and ensure that it is aligned with other tools that are commonly used.”

This article appeared in CSO Online. To read the rest of the article please visit here.

 

 

Articles

States enact safe harbor laws against cyberattacks, but demand…

Connecticut might soon follow Ohio and Utah by enacting a law that offers liability protection against ransomware and other cyberattacks, but only if victims follow security best practices.

While sophisticated ransomware and nation-state threat actors target US critical infrastructure, the only protection most organizations have against these attacks is tight and effective cybersecurity. These attacks have drawn government attention and sparked calls for liability protection against malicious intrusions. If organizations want this protection, however, lawmakers say they need to step up their game to implement better cybersecurity practices.

During a Senate Intelligence Committee hearing last month, Chairman Mark Warner (D-VA) said, “While I am very open to some level of liability protection, I’m not interested in a liability protection that excuses the kind of sloppy behavior, for example, that took place in Equifax, where they didn’t even do the basic cyber hygiene.”

“Cyber hygiene” is not enough, as former National Security Council (NSC) cybersecurity director Robert Knake recently wrote. “Basic cybersecurity hygiene, such as strong passwords, multifactor authentication, vulnerability patching, and next-generation antivirus software, is not sufficient against these groups,” Knake wrote. “Instead, organizations should invest in security and operational vigilance, as these actors will take advantage of any mistake that defenders make.”

Against the backdrop of this heightened federal-level focus, a number of states have quietly moved forward with their own liability exemption measures that seek to boost best cybersecurity practices. These states have enacted laws that incentivize the adoption of robust and thorough industry-leading cybersecurity frameworks and recommendations such as the National Institute of Standards and Technology’s Cybersecurity Framework or the Center for Internet Security’s (CIS) Critical Security Controls by making them requirements for obtaining liability protections.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Mackenzie Weber on Unsplash