Fortifying Digital Defences with NIST

In an era marked by relentless digital transformation, cybersecurity continues to be a critical concern for organisations across all sectors. With the proliferation of cyber threats and the ever-evolving nature of attacks, the need for robust frameworks and initiatives to safeguard digital assets has never been more pronounced.  These frameworks, intricate in design and robust in execution, serve as the backbone of an organisation's cybersecurity posture, providing a structured approach to risk management, threat mitigation and incident response.

It is estimated that 50% of enterprises use the National Institute of Standards and Technology Cyber Security Framework (CSF) standard to map their control systems. NIST has recently introduced an updated rendition of its CSF, marking a significant milestone since its inception in 2014. Tailored to cater to a diverse array of users, spanning across industries and organisational profiles, the CSF 2.0, it says, “embodies an inclusive approach towards cybersecurity risk management”.

Director of NIST, Laurie Locascio, emphasised the evolution of the CSF beyond its initial scope of critical infrastructure protection, extending its reach to encompass organisations of all sizes and sectors. “The CSF has been a vital tool for many organisations, helping them anticipate and deal with cybersecurity threats,” she said.

“CSF 2.0, which builds on previous versions, is not just about one document. It is about a suite of resources that can be customised and used individually or in combination over time as an organisation’s cybersecurity needs change and its capabilities evolve.” 

The CSF 2.0, which supports the implementation of the National Cybersecurity Strategy, has an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organisations in any sector. It also has a new focus on governance, which encompasses how organisations make and carry out informed decisions on cybersecurity strategy. The CSF’s governance component emphasises that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation. 

Kevin Stine, Chief of NIST’s Applied Cybersecurity Division says: “Developed by working closely with stakeholders and reflecting the most recent cybersecurity challenges and management practices, this update aims to make the framework even more relevant to a wider swath of users in the United States and abroad.”

The history of NIST

Following a presidential Executive Order, NIST first released the CSF in 2014 to help organisations understand, reduce and communicate about cybersecurity risk. The framework’s core is now organised around six key functions: Identify, Protect, Detect, Respond and Recover, along with CSF 2.0’s newly added Govern function. When considered together, these functions provide a comprehensive view of the life cycle for managing cybersecurity risk.

The updated framework anticipates that organisations will come to the CSF with varying needs and degrees of experience implementing cybersecurity tools. 

PwC’s work with NIST

Management consulting company PwC is an advocate for the NIST framework. The company said in a statement: “Many directors are concerned about their effectiveness in overseeing cybersecurity. We believe the NIST Cybersecurity Framework can be a particularly useful tool for boards. The CSF provides guidance on how directors can engage with company leadership around this critical issue.

“Too often, business leaders assume that cybersecurity is only a technology issue. While it’s true that technology is an important component, many other disciplines need to be included. To manage cyber risk effectively, companies need a concerted effort that aligns risk management activities across functional areas: IT, security, risk, operations, legal, compliance, human resources, internal audit, marketing/PR and the executive team. Without this coordination, adverse events may quickly cascade into large-scale disruptions,” the statement concluded. 

Solarwinds aligns with CISA

Solarwinds recently announced that it, too, was an advocate for the NIST framework. The American software corporation submitted its Secure Software Development self-attestation in alignment with the Cybersecurity and Infrastructure Security Agency (CISA) and Office of Management and Budget (OMB) requirements. In submitting its form to the Repository for Software Attestation and Artifacts (RSAA), SolarWinds is the first software provider to publish CISA self-attestation in alignment with US government requirements of all software providers.

SolarWinds has taken a significant step in promoting secure software practices by submitting this attestation that its products are designed with security as a foundational element, in line with not only NIST Secure Software Development Framework (SSDF) guidelines but the framework provided by the Office of Management and Budget's directive (M-22-18). Furthermore, submitting this attestation further underscores SolarWinds' capability to provide a clear and digitally accessible Software Bill of Materials (SBOM) with detailed insights across all of a digital ecosystem's components and interdependencies.

Tim Brown, Chief Information Security Officer and Vice President of Security at SolarWinds says: “In order to pioneer secure software development, we understand that security is not just a feature but the very foundation upon which modern digital ecosystems must be built. 

“Our alignment with the latest CISA guidelines is a testament to our unwavering dedication to not only protect our global digital infrastructure but to lead by example.”

What is the Secure Software Development Attestation Form?

Endorsed by the White House and released by CISA, the Secure Software Development Attestation Form is part of a comprehensive Department of Homeland Security (DHS) strategy to fortify the software supply chain, promote transparent information-sharing between the public and private sectors, and encourage a proactive community approach to cyber threats to safeguard the nation's digital infrastructure.

Chip Daniels, Vice President of Government Affairs at SolarWinds adds: "In a landscape where cybersecurity threats are ever-evolving, public-private partnerships remain absolutely paramount for creating a secure and resilient digital infrastructure for our nation.

“By working hand in hand, we can ensure that our cybersecurity measures are not just reactive but proactively designed to anticipate and mitigate threats. This collaboration across sectors is necessary to support CISA, create unified best practices for information-sharing between companies and government agencies, and develop shared threat intelligence for a more resilient and secure supply chain, nation and future.”

Robust frameworks like NIST's Cybersecurity Framework (CSF) and initiatives such as SolarWinds' alignment with CISA guidelines play pivotal roles in fortifying digital defences. These efforts highlight the importance of proactive collaboration, adherence to industry standards and a holistic approach to cybersecurity. As organisations navigate the complexities of the digital age, embracing these principles will be essential in safeguarding digital assets and ensuring a secure and resilient future.​​​​​​​

Tim Brown

CISO at Solarwinds 

Software 

Austin, Texas, US 

Tim Brown is a chief architect with expertise in security solutions, including vulnerability management, identity management, and cloud security. A proven thought leader, with extensive experience in driving product development, strategy, and partnerships.

Laurie Locascio

Director at NIST

Technology 

Maryland, US

Dr. Laurie Locascio, Under Secretary of Commerce for Standards and Technology and Director of NIST, previously served as Vice President for Research at the University of Maryland. With over three decades at NIST, she's a distinguished fellow of multiple scientific societies and a recent National Academy of Engineering inductee.

******

Make sure you check out the latest edition of Technology Magazine and also sign up to our global conference series - Tech & AI LIVE 2024

******

Technology Magazine is a BizClik brand