Information Security Matters: Raising Standards

In my spare time, I read information security standards. (Yeah, I know. I need a better hobby.) In February 2024 the US National Institute of Standards and Technology issued a second version of its Cybersecurity Framework,¹ often abbreviated as the CSF. I would like to share my thoughts on CSF 2.0, although I recognize that some might say that this is primarily a matter of American concern. The CSF has become a de facto international standard,² so non-Americans may be interested as well.³

Reactions to CSF 2.0

My initial reading of CSF 2.0 left me uneasy, for reasons I will get to in a bit. I have kept an eye out for critiques and commentary on the new version. There have been some, most of which deal with the major differences between the old and the new standards. The most obvious of these changes is that the five existing functions⁴—Identify, Protect, Detect, Respond, and Recover—have been expanded to include Governance.⁵ A few hail the new CSF as a huge improvement⁶ over its predecessor. Particular praise has gone to the new emphasis on governance, supply chains, and its applicability to smaller enterprises.⁷

Comparing the Versions

Praise for the new version is overwhelming, but I have yet to see a line-by-line comparison of versions 1.1 and 2.0. Ever undaunted, I have given it a try. (Actually, no one wants to read a line-by-line comparison, so I will just summarize my analysis here.)

Version 2.0 contains a total of 107 subcategories, the to-dos of cybersecurity. The previous version had 105 of them, so the degree of detail is roughly equivalent. The way that the subcategories are stated is subtly different. A few representative examples may suffice to illustrate the revised wording (figure 1).

To me, these are distinctions without differences.

Much has been made about deeming governance as a function in itself. I certainly agree with this conceptually, though it is not as though governance was excluded from version 1.1. It was previously included as a category in the Identify function and had four subcategories. The new version has six categories with 31 subcategories, the most subcategories of all the six functions. To me, the implication is that governance, driven at organizations’ executive level, is the driver for cybersecurity, a significant reorientation in itself.

The Mysterious Case of the Missing Subcategories

Surely governance is important, but does it justify nearly 30% of a framework for cybersecurity? And if the Governance subcategories have increased from 4 to 31, while there are only two more total subcategories, something must have been left out somewhere else. A quick count shows where the number of subcategories has been reduced. There are seven fewer in Identify; 17 fewer in Protect; seven fewer in Detect; the same number in Respond and two more in Recover.

Some of the reductions are accounted for by shifting certain subcategories to other categories. For instance, the statement that “Adequate capacity to ensure availability is maintained” was previously addressed under Data Security (PR.DS) and now appears as “Adequate resource capacity to ensure availability is maintained” under the category Technology Infrastructure Resilience (PR.IR). However, this transfer of categories does not explain the missing subcategories.

There is a clue to the absence in the numbering of the subcategories. The subcategories regarding Data Security (PR.DS) are numbered 1, 2, 10, and 11 in the new version.⁸ In the old one, the numbers were sequential, 1 through 8. In all, two subcategories were retained in the new version; two subcategories in the old version were transferred to other categories in the new one; one was transferred into PR.DS in the new version; and four were dropped altogether.⁹ The same pattern can be found in the categories of Continuous Monitoring (DE.CM), Adverse Event Analysis (DE.AE), Incident Analysis (RS.AN), and Incident Response Reporting and Communication (RS.CO).

These are not peripheral concerns in cybersecurity. The requirements (for that is what the subcategories are¹⁰) that have been dropped are, to me, rather important. They address the management of assets, data leakage, the separation of production environments from those for development and testing, and integrity-checking mechanisms for hardware. The added subcategory calls for confidentiality, integrity, and availability of data-in-use.

The Rationale for Change

What troubles me more than the additions, deletions, and transfers is that there is no explanation as to why these changes have been made. More than the specific modifications in CSF 2.0, there is no rationale offered for a wholesale re-write of the CSF, as opposed to incremental enhancements. All we are left with is the “I’m your father, that’s why” school of logic. To my way of thinking, that is not good enough for a document that for many security practitioners has become the basis for their entire cybersecurity programs.

I recommend that information security professionals repeat the analysis I have made, stultifying as it may be. That way they can keep the best of CSF 1.1 in addition to the enhancements made in CSF 2.0. Doing so will require considerable realignment of cybersecurity programs in many organizations. That is because, as stated in the section on Improving Risk Management Communication, CSF 2.0 envisions a hierarchy of executives, managers, and practitioners not stated in the previous version. To me, that hierarchy in relation to cybersecurity is so radical that it deserves further analysis by itself.

Endnotes

¹ National Institute of Standards and Technology (NIST), “The NIST Cybersecurity Framework (CSF) 2.0,” 26 February 2024
² NIST has published a list of so-called “success stories” regarding the previous version, CSF 1.1. Many of these statements are from non-US organizations. An individual from a Japanese organization is quoted as saying that “the NIST Cybersecurity Framework is globally applied.” NIST, “Success Stories,” 12 April 2018; NIST, “Success Story: Japanese Cross-Sector Forum,” October 15, 2018
³ Please let us not belabor whether the CSF is a framework, not a standard. For one thing, a document from an organization that is an institute for standards can be considered a standard. And more importantly, in my experience with information security functions in the USA and around the world, many organizations are using the CSF as a standard to build and audit their cybersecurity programs. One security vendor states it succinctly: “The NIST Cybersecurity Framework (NIST CSF) is widely considered to be the gold-standard for building a cybersecurity program.” Balbix, “What is the NIST Cybersecurity Framework?”
⁴ I will use NIST’s taxonomy here, although I must say that many people I know ignore it and simply use their own terminology. The “core” of the framework contains “functions,” which in turn contain “categories” and “subcategories,” the latter of which actually tell practitioners what to do.
⁵ Strand, C.; “Examining NIST CSF 2.0: Everything You Need to Know,” Security Scorecard, 4 April 2024
⁶ One example among many: Mello, J.; “NIST CSF 2.0: Better Risk Management for the New Era of Supply Chain Security,” ReversingLabs,” 6 March 2024
⁷ Kovacs, E.; “Industry Reactions to NIST Cybersecurity Framework 2.0: Feedback Friday,” Security Week, 4 March 2024
⁸ For any sticklers who may be reading this, the actual numbering is PR.DS-01, PR.DS-02, PR.DS-10, and PR.DS-11.
⁹ If anyone has gotten to the end of this sentence and still has the stamina to read a footnote, he or she will understand why I say that no one wants to read a line-by-line comparison.
¹⁰ NIST disclaims my interpretation. Though the Institute states that the CSF is not prescriptive it surely knows that many practitioners are using it that way.

STEVEN J . ROSS | CISA, CDPSE, AFBCI, MBCP

Is executive principal of Risk Masters International LLC. He has been writing one of the Journal’s most popular columns since 1998. Ross was inducted into the ISACA^® Hall of Fame in 2022. He can be reached at stross@riskmastersintl.com.