Journey to NIST Cybersecurity framework (CSF) 2.0 workshop kicked off recently.

The framework, first published in 2014, is widely accepted as the foundation for cybersecurity and technology. However, quite a bit has changed in the last nine years, including a global pandemic, and not surprising that the CFS has endured. NIST has been seeking feedback on the use and improvements to its cybersecurity resources through the Request for Information (RFI) on “Evaluating and Improving NIST Cybersecurity Resources: The Cybersecurity Framework and Cybersecurity Supply Chain Risk Management.” In this RFI, NIST asked about evaluating and improving the NIST Cybersecurity Framework (CSF or Framework), use of the Framework in conjunction with other resources, and improving supply chain cybersecurity risk management. 

Cherilyn Pascoe is Senior Technology Policy Advisor at the National Institute of Standards and Technology (NIST), U.S. Department of Commerce. She advises NIST leadership on technology policy strategy, including cybersecurity, and privacy. Adjudication of the comments will continue over the next several months, but in the near term, NIST has released a summary analysis document that will guide our work. You can check out the analysis on the CSF website.

Why is the NIST Framework important to supply chain risk management, building a compliant risk management framework (RMF), integrating IT and operational technology (OT), securing industrial control systems (ICS), and establishing Zero Trust you ask? While each objective is different, they are also interconnected. The cybersecurity efforts of government and industry both have DISA Security Technical Information Guides (STIGs) at their roots. Other mandated cybersecurity programs—from CMMC to CIS—are based on STIG controls for establishing and maintaining a secure baseline. STIGs are like a roadmap of where and how to spot vulnerabilities, then how to fix them.

Many organizations mandated by the government have already addressed these issues and are conducting ongoing maintenance, but many others still need to start. Should you be panicking with deadlines looming, like the December 2024 deadline for Zero Trust. Are you beginning too late?

So many solutions, yet so much complexity.

With all the solutions out there, cybersecurity compliance would be simple. However, the NIST cybersecurity framework (CSF) “is the de facto standard for all organizations to build and evaluate their cybersecurity programs,” says Eric Goldstein, executive assistant director at CISA. “The Common Baseline extends the CSF by identifying the most impactful controls across both IT and OT systems and describes both the scope and measurements for those controls so that it is easier for asset owners to implement and attest to their security posture.”

Yet Gary Pentecost, U.S. Public Sector Chief Technology Officer at Citrix, observes, “The problem isn’t that they can’t find solutions to make it all work. The problem is that those solutions often adds to the complexity. Every other vendor out there has a very specific point solution, and that solution does a great job at fixing a problem,” he said. “But the problem is, nobody’s looking at the whole picture.”

In addition, we depend on ICS and OT for critical services—bringing power to our homes, supplying clean water to drink, and providing essential services for our livelihoods—but the focus on securing those systems is still taking a back seat to traditional IT security. So how do we get beyond this?

One solution means greater simplicity.

SteelCloud’s ConfigOS was purpose-built to address cybersecurity challenges, scanning, remediating, and reporting vulnerabilities. In just an hour with ConfigOS, you can establish a secure baseline using STIG, CIS, or other controls.

Integrated automation solutions are imperative moving forward as workforce shortages, time crunches, competition, and challenges of cybersecurity become more complex. Here are some issues automating with a product as ConfigOS can solve:

• During your lunch break, an automation solution like SteelCloud’s ConfigOS can identify and manage vulnerabilities—a task that would take days if done manually.
• Each instance of ConfigOS can scan up to 15,000 endpoints and remediate up to 5000 endpoints—per hour!
• Daily tasks. Automate as much as you can, like patching. Automate the things that hit you every day at a moment’s notice. Then look at overall risk and maturity.
• Risk and cyber management. With so many employees working remotely, the importance of secure network access control (NAC) has never been higher. If you automate, you can provide better dashboards, more information and can bring teams together and reorganize around the new capabilities.
• Reporting is a critical (and cumbersome) component of your cybersecurity efforts. It requires continual scanning and remediation of your system, and careful documentation of your actions.
• Monitoring and maintaining. Gain the insights and intelligence you need to stave off compliance drift and maintain your secure baseline effortlessly.

Standardize, automate, and protect your sensitive data.

IT is complex. We ask it to solve many different problems, and the goal is to get scale in the management of IT but also in its security of it. Standards make that possible. So why should every individual organization reinvent the wheel when 80-90% of security configurations are identical? Why continue to duplicate efforts when your time and staff are spread thin?

Based on standards, IT security and management are more scalable, more accessible, and quicker. Automating cybersecurity tasks to meet STIG, CIS, or CMMC standards will be your  most significant change you make this year. Schedule a demo of ConfigOS and get a complete solution for auditing and scanning, enterprise-wide remediation and compliance reporting, and interfaces to other technologies.