Strengthening the Shield: Unraveling the Changes in NIST Cybersecurity Framework 2.0

Nearly a decade ago the first version of this framework has been published. Since 2014 the document has been downloaded over 2 million times by users in 185 countries and provided guidance for thousands of organizations on how to manage their cyber security posture.

What has changed?

Within the draft for NIST Cybersecurity Framework 2.0 we can see a number of changes. Let’s begin with the general ones before diving into the technical adoptions:

• The framework now explicitly covers cybersecurity for all enterprises, regardless of size or type, in addition to safeguarding critical infrastructure like hospitals and power plants. The official name of the CSF has changed from the more constrictive "Framework for Improving Critical Infrastructure Cybersecurity" to "The Cybersecurity Framework," which reflects this distinction.

• Up until this point, the CSF has used the five core pillars of identify, protect, detect, respond, and recover to explain the foundational elements of a successful and comprehensive cybersecurity program. The govern function, which describes how an organization can make and carry out its own internal decisions to support its cybersecurity strategy, has recently been added as a sixth by NIST. It stresses that cybersecurity, along with legal, financial, and other hazards, is a significant source of enterprise risk that senior leadership should take into account.

• The draft offers enhanced and expanded implementation recommendations, particularly for developing profiles that specifically cater the CSF for given circumstances. The cybersecurity community has asked for aid in implementing it for particular business sectors and use cases where profiles would be useful. Importantly, to assist organizations, in using the framework effectively, the draft now contains implementation examples for each function's subcategory.

From a technical perspective it’s very interesting to see in which areas NIST has adopted the framework. Especially when looking at data integrity it becomes clear that this topic gets much more attention.

Data Security

Compared to the first version of the NIST Cyber Security Framework the following has changed when it comes to protecting data security. The previous requirement “PR.DS-5: Protections against data leaks are implemented” has been extended to “PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected (formerly PR.DS-05)”.

Why is this relevant?

In 2018, when the first version was published the main concern was that data would get leaked, meaning that the confidentiality of data would be compromised. Now data is exposed to new threats that affect the availability (e.g. ransomware attack) and integrity (e.g. false data injection or data tampering attack) of data as well. Within the new version of the Cyber Security Framework NIST has recognized that change and adapted the framework accordingly.

Incident Analysis

In order to analyze incidents appropriately NIST has put more focus on the topic of data integrity and provenance. In the new Cyber Security Framework the following two requirements have been added: “RS.AN-06: Actions performed during an investigation are recorded and the records’ integrity and provenance are preserved (formerly part of RS.AN-03)” and “RS.AN-07: Incident data and metadata are collected, and their integrity and provenance are preserved”.

Why is this relevant?

Recently the amount of cyber attacks that involved log data tampering or log deletion has increased tremendously. Some of the most famous incidents, such as the Colonial Pipeline Ransomware Attack or the Solar Winds Supply Chain Attack, have shown that log files are very much a target cyber criminals like to tamper with. Hence, NIST has put strong focus on the data integrity and provenance during incident analysis.

Incident Recovery Plan Execution

The topic of incident recovery has been largely extended in the new version of the Cyber Security Framework. Previously, it was described with the single requirement “RC.RP-1: Recovery plan is executed during or after a cybersecurity incident”. Within the new version the incident recovery plan execution includes six requirements, and two of those directly address data integrity: “RC.RP-03: The integrity of backups and other restoration assets is verified before using them for restoration” and “RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed”.

Why is this relevant?

It is essential for organizations to have a wholistic view on what has been compromised during a cyber incident. At latest before restoring any asset (e.g. data in backups) it is critical to ensure that the integrity of those assets has not been compromised. Going back into operations without detecting corrupted data can have fatal consequences. If you want to learn more on how Tributech can be combined with back up solutions, this blogpost is for you: Safeguarding Data Integrity | Tributech

Conclusion

In conclusion, the dynamic landscape of cybersecurity is reflected in the ever-evolving frameworks designed to fortify organizational defenses against cyber threats. The emergence of the NIST Cybersecurity Framework 2.0, marked by its recent public draft release, signifies a crucial shift in addressing the multifaceted challenges posed by modern cyber risks. Notably, the framework's meticulous attention to incident analysis and recovery underscores the criticality of maintaining data integrity in the face of rising incidents involving log manipulation. As organizations grapple with the complexities of incident recovery, the expanded requirements pertaining to data integrity underscore the imperative of ensuring the sanctity of restoration processes. NIST Cybersecurity Framework 2.0 stands as a beacon of resilience and adaptability, guiding organizations toward a holistic and robust cybersecurity approach that recognizes the evolving dimensions of cyber threats and the paramount significance of data integrity in safeguarding digital landscapes.