First NIST update in a decade: What MSPs need to know
Managed service providers (MSPs), chief information security officers (CISOs), and IT professionals have long relied on the National Institute of Standards and Technology (NIST) for roadmaps and best practices in cybersecurity. The NIST framework was first released in 2013. Still, ten years in cybersecurity is the equivalent of a century, so a refresh was needed. According to some experts, that “refresh” came earlier this month and not a minute too soon.
“NIST was getting a little long in the tooth,” expressed Simon George, an independent cybersecurity specialist in Los Angeles. “NIST has largely been the roadmap for critical infrastructure. This month’s upgrade expands NIST’s purview to include all verticals, not just critical ones. With this update, the local grocer or elementary school will find these as valuable as the nuclear plant.”
He also shared, “This update has provided specifics and much more guidance across many more verticals.”
NIST guidance, released in a draft this week, has been expanded and made more holistic. MSPs can still play a role in shaping the final NIST guidance. The draft of the updated NIST was published on August 8, but comments and input from reviewers are welcome through November. You can read the final draft of NIST and submit comments for review here.
Perhaps the most significant change is the addition of an additional “pillar” to the NIST mission. NIST had been built around five key components: identify, protect, detect, respond, and recover. Now they have added a sixth, the “govern” function.
According to NIST, this: “covers how an organization can make and execute its own internal decisions to support its cybersecurity strategy. It emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial, and other risks as considerations for senior leadership.”
George stated that the latest pillar is an essential addition because it provides a framework for consistency across the board in cybersecurity.
The govern pillar establishes a framework for:
- Establishing and maintaining a cybersecurity risk management framework. “What NIST is trying to do here is ensure that entities are implementing appropriate measures to manage those risks,” said George, adding that all entities – with the help of MSPs – need to establish a continuous process for monitoring and reviewing the effectiveness of the risk management framework.
- We are developing and implementing cybersecurity policies, procedures, and processes. “Cybersecurity needs to be part of any organization’s overall risk management strategy, no different than a retailer having processes and procedures to combat shoplifting. Cybersecurity needs to be treated as such a risk, and too many organizations still lag, but the refreshed NIST should help drive the point home,” George explained.
- It is measuring and evaluating cybersecurity performance. This includes establishing metrics for measuring cybersecurity performance. “Too many organizations and, frankly, MSPs will put in protocols and protections and feel like they are done, but there needs to be constant evaluation to see how the processes are working,” George reported.
Empowering cybersecurity governance
Experts agree that the “govern” addition is crucial for a holistic cybersecurity strategy.
“It’s a big step; the addition of governance reflects the growing recognition that cybersecurity is a major source of enterprise risk and needs to be managed as such,” George says. He added that the new pillar provides organizations with a roadmap for establishing and maintaining a comprehensive cybersecurity governance program to help them mitigate risks, protect assets, and respond to incidents.
“What I like about it is that it can help organizations to improve their communication about cybersecurity risks and controls,” George asserted, adding that it can also help organizations to measure and evaluate their cybersecurity performance. There is also a growing batch of cybersecurity regulations and standards that everyone must comply with at the NIST standards, making navigating that easier.
“Overall, the “govern” pillar of the NIST Cybersecurity Framework (CSF) is a valuable tool for organizations looking to improve their cybersecurity posture,” he said.
The NIST update is supposed to help govern the current cybersecurity environment and be breathable and organic enough to evolve with cybersecurity needs over the years ahead.
In a press release, the NIST framework lead author said the following:
“With this update, we are trying to reflect current usage of the Cybersecurity Framework and to anticipate future usage as well,” said the framework’s lead developer, Cherilyn Pascoe.
“The CSF was developed for critical infrastructure like the banking and energy industries, but it has proved useful everywhere, from schools and small businesses to local and foreign governments. We want to ensure that it is useful to all sectors, not just those designated as critical.”
Photo: Teacher Photo / Shutterstock