The Center for Cybersecurity Policy and Law hosted another half-day event during the RSA Conference in San Francisco featuring speakers from the National Institute of Standards and Technology (NIST) and the National Cybersecurity Center for Excellence (NCCoE) to talk about the Cybersecurity, Privacy, and Artificial Intelligence (AI) risk management frameworks.
A packed agenda featured snack sized sessions on each of the frameworks featuring industry implementers of the Cybersecurity Framework (CDF) and AI Risk Management Framework (RMF).
CSF 2.0 Implementer’s Panel
This panel offered insights into organizations that engaged with NIST during the framework update process and are using the framework. Elevating governance to a new, sixth function in CSF 2,0 was uniformly embraced by implementers for a variety of reasons such as supporting leadership and board buy-in and promoting a culture of security and continuous monitoring.
Another common theme from implementers included leveraging the CSF to build trust with vendors and customers. Implementers described how CSF is used internally to evaluate vendor cybersecurity internally. Mapping cybersecurity services to the CSF 2.0 also supports external communication with customers, providing a level of confidence that a popular, internationally recognized framework brings to the table.
Regarding international adoption, the CSF has seen broad support bolstered by ISO recognition – one implementer suggested NIST pursue the same path for CSF 2.0. As with all NIST frameworks, they are law and jurisdiction agnostic, leaving room for organizations or groups of organizations in a sector to develop mappings and profiles that best meet their needs. Many described efforts to map laws, regulations, standards, and controls to the CSF to support interoperability.
Mappings and profiles can foster adoption of CSF 2.0 and have proven useful in the financial sector, in particular, the Cyber Risk Institute’s Financial Services Profile. The discussions around mapping and profiles in the implementer’s panel was a perfect segue to a demo from NIST on how to navigate the new CSF 2.0 resources.
CSF 2.0 Resources Demo
Another big change in CSF 2.0 was removing informative references from the core publication to support more agile updates that can better keep pace with changing technology and standards. In just a few clicks on https://www.nist.gov/informative-references, you can generate the same CSF 2.0 Core alongside those trusty informative references tailored to your specific needs.
Want to view a specific mapping like the 800-53 rev 5 controls? Just select what you want to see and you can download an Excel or JSON file to leverage as you like. A complete list of mappings can be found here. You can also generate a listing of implementation examples – another new feature of the CSF Core – a non-exhaustive list of examples that can help your organization understand the activities to undertake in support of framework outcomes.
Privacy Framework Version 1.1 Update and Development of a “Joint Frameworks Data Governance Profile”
As the saying goes, “when one door closes, another one opens.” The same is true for NIST framework updates! Launched in January of 2020, the NIST Privacy Framework is beginning a minor update process to version 1.1.
One area the Privacy Framework is already all over is governance and was the trendsetter for CSF and the AI RMF in establishing Govern as one of its core functions from the outset. A key consideration in updating the Privacy Framework will be how to reflect CSF 2.0 changes, after all privacy and security certainly have overlapping functions and it will be important especially for organizations that want to leverage both frameworks to be able to do so seamlessly.
On the theme of using NIST frameworks together, the Privacy Engineering Program is also taking on development of a Data Governance Profile that will leverage the Privacy, Cybersecurity, and AI frameworks. Data governance is an issue that spans across many disciplines and privacy professionals are increasingly finding themselves with AI governance responsibilities making this effort timely!
Organizations vary greatly on cybersecurity and privacy program structures and the extent to which such functions are integrated – sometimes they are distinct but well integrated programs, other times they are regrettably siloed. In either case, and there are certainly variations on those two examples, the Privacy Framework can serve as a communications bridge.
My assumption for the event was that the audience would be very familiar with the CSF, but not necessarily the details about the Privacy Framework. This appeared to be the case and was a great opportunity to showcase the Privacy Framework and sparks of interest were indeed ignited! Want to participate in updates to the framework and be a part of developing a Joint Frameworks Data Governance Profile? Visit https://www.nist.gov/privacy-framework/new-projects.
Artificial Intelligence and Risk Assessment Panel
As Ferris Bueller wisely noted, “things move pretty fast, if you don’t stop and look around once in a while, you could miss it.” [Note to readers: I considered asking ChatGPT to adapt this quote for the AI use case but think it’s left best in its natural state.]
It certainly feels like things are moving fast in the AI space, much faster than most organizations can keep up with and with all the buzz around AI, it’s hard not to have FOMO. Our industry speakers shared that they see most organizations playing catchup trying to harness the power of AI while evaluating how to use and think about its use.
As AI has taken over our collective brain space, it’s clear that AI risk management can take lessons from CSF and Privacy Framework. Fortunately, some of the structural groundwork laid by the CSF and the Privacy Framework were easily transferred over to the AI RMF following a similar structure with Functions, Categories and Subcategories, namely, Govern, Map, Manage, and Measure.
Across all three frameworks, governance is a priority area and across all the different disciplines, data governance is one of the most challenging issues facing organizations. As organizations look to adopt generative AI in their organizations they can consult NIST’s Initial Public Draft of Profile for Generative AI which outlines risks presented by generative AI and actions to manage them. The panel’s resounding conclusion was that the robots are NOT coming for us. Rather, concerns are more grounded in the more mundane use of AI going badly.
Putting the Work into the Frameworks
The last session of the day focused on efforts by the NCCoE to further adoption of these frameworks. One project already underway is guidance to support transition to CSF 2.0 and NIST would love input from organizations that have made the transition to include both what worked and what didn’t.
Another area of focus is development of CSF 2.0 “Community Profiles.” Community profiles provide a way for a group of organizations that share a common context and interest in their cybersecurity posture to describe a consensus point of view about cybersecurity risk management. Examples include the CRI Profile for the Financial Sector discussed during the CSF 2.0 Implementers Panel and NIST SP 800—61 Rev. 3 IPD, Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile.
Along with the theme of using frameworks together, NIST expects to publish a Joint Cybersecurity and Privacy Framework Genomic Data Profile. Interested in joining a Community of Interest? Visit http://www.nccoe.nist.gov/get-involved/join-community-interest.
A huge THANK YOU to all our speakers for your thoughtful contributions – we hope you’ll continue to engage with NIST and the Center to further adoption of these frameworks and promote discussion on how to use these frameworks together. Watch this space for more!
#Thanks Alex Botting, Amy Mahn, Katheryn Rosen, Anjelica Dortch, Jordana Siegel, Stephen Quinn, Dylan Gilbert, Heather West, Reva Schwartz, Martin Reiger, Ehrick Aldana, Maria Cardow, Cherilyn Pascoe, Ari Schwartz.
Find the agenda for the event here, the NCCoE presentation here, and the Privacy Framework presentation here.
Read Next
Through the Looking Glass: An Updated Vision for the Office of the National Cyber Director
The ONCD was established to advise the President on cybersecurity and has matured into a key component of cybersecurity policymaking. However, changes are needed to ensure the efficacy of the office, especially as it relates to other agencies.
The U.S. Data Security EO with Lee Licata and Grant Dasher (Part 2)
For the first time in the Distilling Cyber Policy podcast, Alex and Jen are re-joined by guests from earlier this season: Lee Licata, from the Department of Justice, and Grant Dasher, from CISA.
The U.S. and UN Cybercrime Convention: Progress, Concerns, and Uncertain Commitments
The U.S. issued an updated position seeking to move forward the UN Convention Against Cybercrime, a treaty intended to improve the global community’s ability to combat evolving cybercrime threats.