Root Causes 374: NIST Cyber Security Framework 2 Released

Tim Callan

Okay, so there was a fairly big announcement, which was on February 26, 2024. Not very long ago. NIST, the National Institute for Standards and Technology introduced the NIST cybersecurity framework - CSF version 2.0.

Jason Soroko

Yeah. That's big. That's big.

Tim Callan

That's big. It actually is big. It's 32 pages long and it's packed. It's full of information. So it, in fact, is quite big but go on.

Jason Soroko

So, Tim, there is a lot here and I think that it might be just a little bit too much for any one person to kind of take in as a document. And here's the reason why.

Yes, it is trying to be all things to all people, you know, in a way, right? Cybersecurity framework but I've never seen NIST do such a good job at saying, hey, if you're a small, medium-sized business, if you are big enterprise, if you are, you know, critical infrastructure or whatever, here's the way of looking at CSF 2.0. And that used to be done kind of a little bit more piecemeal. They used to put out the big, humongous chunky guidance and then you had to figure it out for yourself and then they come out with guides saying, oh, by the way, here's how to interpret this gigantic thing. And I think they realized that they needed to make it a lot better to be consumable. And I don't see enough people talking about that being, you know, it's just there was obviously an enormous amount of work done to make it easier to consume and I congratulate them for doing that.

But Tim, I think this is probably going to be a series of podcasts. I don’t know. Maybe two, three more. And if you guys know anything about the Cybersecurity Framework, and how it's been used in the past, you've heard words like, govern, identify, protect, detect, respond, recover. Right?

Tim Callan

Yeah.

Jason Soroko

There have been versions of this in the past, and I think govern is a new one and that's really good, Tim, because governance and PKI go together like peanut butter and jelly, right?

Tim Callan

Yeah.

Jason Soroko

But the one area I want to call out here is under protect there's a category identifier pr.aa and I'll read it out to you. It's identity management, authentication and access control. And that first term, Tim, identity management, oh boy, is that ever nice. And what you're going to see is look good old NIST, whenever you're reading these things people quite often are looking for description. They're looking for, well, which PKI vendor should I buy from? Well, NIST is never going to tell you that.

Tim Callan

Right.

Jason Soroko

Okay. So don't look for it. But what you are going to find are things such as, Tim, you and I have talked about the pillars of CLM as an example. And believe it or not, there are many terms used by NIST in this first section, pr.aa, under protect. Under identity management, where they speak very similar language to what you and I have done. So Tim, isn't it wonderful just absolutely, just finally, Cybersecurity Framework 2.0 and so many of the identity management concepts that you and I talked about on this podcast, are now no longer afterthoughts. They are first class citizens in Cybersecurity Framework 2.0.

Tim Callan

Which is great. And this is - - and I don't mean this as a dig at NIST at all because for a framework like this, of necessity, it can't be really on the cutting edge. Right? But I think these are ideas that, what do I want to say, not even early adopters at this point, but early adopters, and now kind of the mainstream of IT security professionals recognize are best practices, and you see a document like this is going to take those things that have become well understood and codify them and that'll help people on the left end of the adoption curve, right? Who aren't necessarily going to be early adopters and are going to be a little later to the party and this kind of framework can be really helpful in bringing them along to a much more secure state than they're in now.

Jason Soroko

Absolutely, Tim. So, you know, just right off the top right, this whole idea of binding identities and the credentials associated with those identities to authorize user services hardware that are managed by organization and then the part two of this is, identities are proofed and bound to credentials based on the context of interactions. Oh my goodness. Like, it seems almost overly simplistic to say. You might think, well, that must have always been there like that. No. No. Not quite like that. And so isn't it just great that - - I'm just kind of happy. And I think that this is what the subsequent podcasts are going to be about is, let's call out the goodness within this framework and map it, Tim. I'd like to map it to the hundreds of podcasts we've done where we've talked about certificate lifecycle management and where this applies. Because what this is, Tim, is just a gigantic validation of the stuff you and I have talked about for years.

Tim Callan

Yeah. Yeah. I think that's a great idea. There is just so much in here. It's pages and pages. I was gonna ask, who do you think reads and adopts, or let’s say changes their decisions based on this framework? Who do you think the audience member is for this framework?

Jason Soroko

Tim, remember how you and I have talked about White House Executive Orders?

Tim Callan

Yeah.

Jason Soroko

We've talked about legislation that's been written by the American gov - - by the US government. I think that right there a lot of that legislation, a lot of that, a lot of what those laws are pointing to you, you know, should or must do X, Y, or Zed. The codifying of the security controls is not in the legislation. It is pointing to this guidance. And that's why this guidance came out. It's because this was promised to the US government a while back. And so that's number one. That's the answer to number one. If you are bound by those rules and regulations, this is the guidance you are now bound by.

So that's important. So you're probably a government department and you are architecting your security architecture, you're now going to be bound by this. I would say there's other areas that the US government has called on, such as critical infrastructure. Critical infrastructure will be bound to some of this, right, because they are legislated. They are regulated. So that's, you know, it's all the legislative and regulated parts of industry that have to answer to the US government.

Tim Callan

And then, of course, the downstream effect of that, right, as huge quantities. Like as the single biggest purchasing pool of IoT solutions in the world is bound by these requirements, that winds up being a motivator for the rest of industry. Right? Now vendors want to make sure they're meeting these requirements. They want to make sure they're communicating how they meet these requirements. You can have third party industry that helps with implementation of said things that meet these requirements. You can get training and education around that. It can change the way degree programs work. All of that stuff comes out of the fact just the fact that such a massive pool of technology consumers, I mean, enterprise level technology consumers are going to follow what's codified in this document.

Jason Soroko

That's exactly it. Exactly right. There's the obvious people who are bound by regulation, and then there is the gigantic, gigantic secondary market to that, who feeds into it.

Tim Callan

Yeah.

Jason Soroko

And people aren't going to build things twice or differently. They're going to build it once. And therefore there will be a global effect to these things, right?

Tim Callan

Absolutely.

Jason Soroko

And so therefore, I think it's not just people who are architecting their defenses in an enterprise, it's also going to be vendors who are now - - vendors are going to want to do one or two things. Either you were already dead center in one of these areas, such as the industry we work in Tim, right? Or you're, maybe you're an entrepreneur and you're saying, geez, here's a gap. I think there's something in CSF 2.0 that's not being well addressed by industry. I'm gonna go address it. That might be something and then you're gonna see also some vendors, probably legacy vendors, who are dealing with a security control that's no longer at the forefront of CSF 2.0 and say, you know, maybe we should shift over into being a bit more aligned. So therefore, we can point to being CSF related and I think you'll see some of that too.

Tim Callan

And then you also see that then there's also the thought leadership aspect of this right, which is, you and I are talking about it. And we're not government regulated, right. And the listeners right now are hearing about it and they're not government related and some subset of them will go look up the document themselves and look at it and it will influence their thinking and that sort of thing is going to happen broadly, again, as you said, around the globe.

Jason Soroko

Tim, I think that in terms of thought leadership, one of the next podcasts we will do on this topic and maybe let's take a note and let's do it, which is how CLM maps to CSF 2.0?

Tim Callan

Oh, that’s interesting. Yeah, let's do that. That is quite interesting.

Jason Soroko

So keep your eyes out for that one, folks. And Tim and I will be working on it because this is one of the big points we want to make here.

Tim Callan

So this is very findable. Just search for NIST CSF 2.0 and you'll get results that are right up near the top. There's a website, but it's harder to read and interpret than just doing a Google search. So do a search for that. You can find this framework. Have a look at it. There's a lot there. There's a lot to dig into but it's free for anybody to read and download.

Jason Soroko

There's a graphic Tim that's used on the front page, which I find very interesting. I just wanted to end the podcast with this.

So they have - - it says big circle. In the middle of circle is NIST Cybersecurity Framework. Around that is as a circle, and that circle is labeled as govern and then all of the other ones that I just mentioned - identify, protect, detect, respond, recover - are individual portions of a circle around govern. And I find that fascinating and I'll tell you why.

Tim Callan

Yeah.

Jason Soroko

Whenever you and I talk about the pillars of CLM, you and I talk about visibility as a horizontal pillar within CLM. NIST is now saying govern, right, governance, is a horizontal concept across CSF 2.0. And I have a very strong opinion about this. Tell me what you think. Governance and visibility are almost - - they're almost the same thing, in the sense that governance cannot be done without visibility.

Tim Callan

Yeah. Governance is like visibility with some intention thrown it.

Jason Soroko

There it is. Love that definition, Tim. And so isn't it interesting that our own pillars of CLM are very much like the way that NIST is organizing the CSF. And I would say that, maybe we're reaching here. Maybe I'm reaching, but it's like, no. I think they're thinking and the thinking of the CLM industry are now aligning, and it may be by accident. Maybe they're looking at us, but I just can't say enough about I love how this is validating what we've done.

Tim Callan

Yeah. Yeah. And it certainly is interesting the special place that govern has been given in this graphic, right?

Jason Soroko

It’s a very special place and if you ignore that - - it's like, okay, if you took one thing away from this podcast, what's different in CSF, 2.0? Wow! Govern and governance take center stage. And that's probably a really good thing.

Tim Callan

Yeah. That's a really good thing. And then what you and I, of course, immediately focused in on, which is the identity part, you really can't govern without that. Like, you couldn't have governance as a central part of this framework without dealing with identity. It doesn’t work.

Jason Soroko

It doesn’t work. It doesn't work. So therefore, that's why identity becomes front and center of CSF 2.0 and here is part of the guidance that I'm going to leak out right now. And that is this. Because governance is so important, you’ve dealt with IT, folks, Tim, and governance is sometimes part of IT decision making. Sometimes it's part of the architectural decision making. And in reality, quite often it's not. It's just an afterthought. It's a thorn in the side of these people after the fact and what NIST is saying here in CSF 2.0 is no - these people have to work shoulder to shoulder and these very technical IT people or architectural people - - In other words, the very technical people, need to grow skills to be able to communicate properly with the governance people. I don't think I've ever heard that yet from NIST, but now we have.

Tim Callan

That's interesting. That's a future conversation as well. We should talk about those skills.

Jason Soroko

I think that's a podcast three on this topic. So let's do it.

Tim Callan

Cool. All right. Thank you very much, Jason. Interesting document. And again, readers, if you are interested in this, it’s easy to get. Go give it a read. The NIST Cybersecurity Framework. CSF 2.0. Thank you very much, Jason.

Jason Soroko

Thank you.

Tim Callan

This has been Root Causes.