A Q&A with Matt Barrett, COO of Cyber Engineering Services Incorporated (CyberESI) First introduced in 2014, the National Institute of Standards and Technology (NIST) CyberSecurity Framework (CSF) has since become a widely held best practice far beyond the commerce industry. To get some perspective on the framework and how it’s evolved over the past five years, we talked to Matt Barrett, who was the program manager for CSF. (Note: Barrett currently serves as COO for Cyber Engineering Services Inc (CyberESI), a cyber risk management firm.)
Like other NIST standards, the CSF was originally intended for U.S. consumption. What kind of reception is it receiving outside of the U.S.? Is it being adopted elsewhere?
It is well utilized outside of the United States. One way to think about this is how many translations have been made and at last calculation, some 2 billion people around the planet could potentially read it in their native language. Given that, we could say that the framework has truly caught on globally. Back when I worked for NIST, we saw a survey that 33 percent of Japanese industry used or referenced the CSF. That’s just one other example of the ways we have seen it grow and how it’s had an impact.
Can you briefly describe the essentials of the CSF? To what extent do the contained practices in each function compliment or overlap with each other?
It all comes back to identify, protect, detect, respond and recover. The five words describe the breadth of cyber security. These words are meaningful to cyber security risk managers when talking about enterprise risk, fortifying against bad things happening, understanding whether a bad thing happened and once a bad thing has happened, knowing how to contain, neutralize and minimize any damage so you can get back to normal. Each function has a planning component and there are many interdependencies between them. Let’s say, for instance, you have a ransomware event. How you respond to the circumstance depends on whether you have a data backup which might allow you to recover more quickly.
Large companies often have the staff and resources to fully address all the practices within the CSF, but how should small and medium enterprises (SMEs) approach its implementation?
There are a couple different ways small to medium enterprises—those organizations that don’t have major cyber security resources or even cyber subject matter experts at their disposal—can go about this. Even if you can’t engage in detail you can start with the five basic functions and engage with them at a basic level. Another approach is to look at the 109 different cyber security outcomes in CSF and focus on the ones that are the most important. Cybersecurity risk management is about making those tough but important choices.
Is there an approved “certification authority” for auditing organizational compliance with NIST CSF?
In a word, no. Rather than develop a certification program, NIST has historically taken a stance of supporting industry certifications. There are at least two entities that now offer certifications for a fee and I suspect that trend will continue.
Are organizations obligated by law to achieve NIST CSF compliance, including via derived standards such as New York’s DFS regulation?
Generally speaking, no. The DFS indirectly references the CSF by defining a cybersecurity program as addressing identify, protect, detect, respond, and recover (see Section 500.02). Florida has a state level regulation that points directly to the CSF. US federal agencies are required to use the CSF by Presidential Executive Order. Others use it as a voluntary construct—in Ohio, for example, if a company adopts the CSF and experiences a breach it gives them safe harbor with no negative ramifications in terms of litigation from the state.
Is there any type of version-based “refresh cycle” process to modify/adapt the NIST CSF to include emerging threats or evolving practices?
Absolutely. The CSF was always designed to be a living document and to keep pace with the evolution of both technology and emerging threats. One of the things I worked on at NIST was making the refresh cycle a repeatable process. Once every three years NIST asks the industry stakeholders if they would like an update and if so, what should be in that update. In the latest cycle a key feature requested by stakeholders was better explaining how organizations could use CSF to address supply chain risk management.
What is the cyber insurance industry’s approach in terms of incorporating the NIST CSF into cyber policy underwriting guidelines and approval criteria?
Many times, I see the insurance industry recommending CSF as a best practice. One example is the United Kingdom’s study on the Role of Insurance in Managing and Mitigating the [Cyber Security] Risk. It is also prominently used and recommended for use in countries like Bermuda, where there is a large re-insurance industry. For some insurers, CSF use has a bearing on coverage or premiums. We’re seeing it being recommended more and more and we expect that trend to continue. So our clients can understand how our services support their cybersecurity risk management program and insurance decisions, CyberESI advertises our services using the five functions, and we see that trend in the larger cybersecurity services and product industries.
We want to thank Matt for providing his expert opinions of CSF. The NIST framework as a “standard of care” is of great interest to the underwriters we support in the cyber risk insurance community. They want to make sure business clients whose operations they insure have a reasonable level of industry-recognized best practices in place as related to CSF and its 5 components—identify, protect, detect, respond and recover. I also appreciate Matt’s thoughts on how small businesses might want to proceed, since SMEs lead that pack in cyber claims and often face some challenges to prevent and mitigate cyber threats.