NIST's Cyber Security Framework v2.0
Sorry for the impending cold water and Devil's Advocate take (AGAIN)
This week, with marginal fanfare, the National Institute of Standards and Technology released the “highly anticipated” Cyber Security Framework v2.0. Beyond people who spend a lot of time in compliance, I am not exactly certain it was necessarily met with the same level of anticipation by the organizations it was designed to serve, assist, or frighten. I hate to always write these posts from a ‘Devil’s Advocate” perspective, but in reviewing the multitude of links and documents associated with the framework, I truly have some questions (and questions I think SMBs might ask.)
Main questions (and I am happy for others to prove me wrong):
How are you supposed to implement this thing? If you refer me to the NIST Risk Management Framework for Informational Systems (NIST-37), then expect a TL:DR. And there is little likelihood SMBs, and other vulnerable organizations, have anyway to get through it effectively.
For all the time spent creating this, why not create a hierarchy of important controls by level of importance? For example, “Start with these 10 or 20, then move to these…..” and so on. Give small organizations a simple starting point. Because if they don’t do the simple things, they surely aren’t doing the moderate to difficult ones. It looks like the Organizational Profile Template Draft might do that, but you have to kind of hunt for it.
What are the accompanying costs of satisfying the controls? Is there a hierarchy of costs? This is going to be an organization’s first question.
I think anyone reading this can agree that ALL businesses, regardless of size, should incorporate some methodology to assess their cyber risk and determine their current level of preparedness to deal with a cyber incident. But in looking at this framework, I wonder how organizations classified as SMBs can even begin to undertake the process of implementing this framework. Shoot, how are large organizations going to implement it.
I am sure many people spent lots of time developing this framework (and someone got a promotion for it) and good on them for doing it. It appears there are still parts of this framework that have not been released, and I hope part of that includes an easy-to-implement and scalable version for SMBs, Non-profits, Churches, and other small organizations with limited budgets and personnel resources can use to modify the framework to specifically fit their needs.
I want to think CSF 2.0 can be a useful tool for companies to use to improve their cybersecurity posture, but like almost all things government-derived, the complexity may outweigh the usability.
As always I long to be corrected on such things.
I agree. NIST should have a shorter version for the SMB. I like the hierarchical recommendation of start with 'these' 10 to mitigate the most common threats.
Also, put it in non-government language.