OTHER ASPECTS OF THE FRAMEWORK DOCUMENT
Although the Core, Tiers, and Profiles are the most critical parts of the Framework, the document released in February 2014 and updated in 2018 also contains other useful pieces of information, including tips on using the Framework and advice on communicating the importance of the Framework to stakeholders.
RECENT DEVELOPMENTS AT NIST
In response to a series of damaging and high-profile cyberattacks involving Chinese state-sponsored threat actors and Russian ransomware operators, President Joe Biden released a wide-ranging and ambitious executive order (EO) on May 12, 2021, the President’s Executive Order (EO) on “Improving the Nation’s Cybersecurity (14028). The EO assigns NIST several complex tasks that reshape U.S. cybersecurity policy and requirements. They also elevate the foundational importance of the NIST cybersecurity framework’s core functions of identifying, protecting, detecting, responding, and recovering. (See https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity).
As of this book’s publication date, many of these NIST mandates are still in process. In addition, it’s important to note that any requirements coming out of the EO apply only to federal government agencies and their contractors. But, under the theory that most of the world’s leading tech companies are also major suppliers to the federal government, it’s likely that the EO and the NIST requirements would ultimately have spill-over effects for private sector organizations.
The NIST assignments in the EO include:
Developing guidance to help agencies achieve “zero-trust” architecture. Zero-trust is the latest trend in cybersecurity that “eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses,” according to the EO.
Defining what constitutes “critical software” and publishing guidance outlining security measures for critical software. These intricate tasks aim to prevent the infiltration of malware into widely used and essential software.
Developing guidelines that result in minimum standards for vendors’ testing of their software source code. These guidelines aim to put into place processes to ensure that software is sufficiently safe and secure.
Publishing guidance that identifies practices to enhance software supply chain security. This guidance aims to foreclose, to the extent feasible, malicious software from third parties from sneaking into the various subcomponents that make up modern software.
Initiating labeling programs related to the Internet of Things (IoT) and software to inform consumers about the security of their products. This task aims to provide consumers with a ratings scale that helps them better understand the security level of their hardware IoT devices and software.
The Cybersecurity Framework is a critical reference document for organizations to consult in the NIST tasks completed or underway. In particular, all the software security measures count the Framework as an informative reference.
Notes
1 1Executive Order No. 13636 – Improving Critical Infrastructure Cybersecurity, February 12, 2013, at https://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.
2 2NIST Cybersecurity Framework, https://www.nist.gov/cyberframework/framework.
3 3Cybersecurity and Infrastructure Security Agency, Critical Infrastructure Sectors, https://www.cisa.gov/critical-infrastructure-sectors.
4 4Cybersecurity Framework 1.1 https://www.nist.gov/cyberframework/framework.
5 5NIST Framework, p. 5.
6 6See https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf Appendix A.
7 7NIST Framework p. 11.
Конец ознакомительного фрагмента.
Текст предоставлен ООО «ЛитРес».
Прочитайте эту книгу целиком, купив полную легальную версию на ЛитРес.
Безопасно оплатить книгу можно банковской картой Visa, MasterCard, Maestro, со счета мобильного телефона, с платежного терминала, в салоне МТС или Связной, через PayPal, WebMoney, Яндекс.Деньги, QIWI Кошелек, бонусными картами или другим удобным Вам способом.