Half a year ago we did already look at the draft NIST Cyber Security Framework for Improving Critical Infrastructure Cybersecurity (CSF), pointing out some puzzling flaws. Now that version 1.0 is out for two months we check if things have improved in a multi-part blog post.

As much as we would have liked to see the Framework succeed, it just didn’t happen. The basic problem with the CSF can be summarized as follows:

The NIST CSF doesn’t provide a method that, if applied correctly, would lead to predictable, measurable, or even consistent effects in cyber security posture.

It doesn’t even intend to be such a method. It provides a conceptual model for how to think and talk about cyber security; a model that intentionally allows for stretching in any direction. Everyone can be compliant with the NIST CSF without making any changes to their cyber security posture, no matter how high or low that may be, simply by adopting the phraseology of the NIST CSF.

Here is why. The basic components of the NIST CSF are

  1. the Framework Core that lists a total of 98 “subcategories” which basically define cyber security activities and desired outcomes,
  2. the concept of a cyber security Profile that the organization creates by picking those of the subcategories that it deems relevant, and
  3. the concept of four different Implementation Tiers that the organization can choose from, thereby defining the rigor to which implementation is governed.

We’ll look at the Framework Core in detail in a follow-up part of our analysis. At this time let us note that by creating a Profile, the organization deliberately decides which parts of the Core it believes are important and which ones are not. Quote:

“The organization creates a Target Profile that focuses on the assessment of the Framework Categories and Subcategories describing the organization’s desired cybersecurity outcomes.”

For example, if your organization doesn’t believe that a physical system inventory (Framework subcategory ID.AM-1) is important or that it would simply be too costly, it can decide to kick it out of the Profile. In this respect the NIST CSF is quite business-friendly since it explicitly tells you that business drivers and resources are the guiding principles for creating a Profile. It is not very difficult to predict that one essential parameter for creating a Profile will be the annual cyber security budget. Would the NIST CSF give you a method of how to calculate what a reasonable budget for your organization would be? The simple answer is no.

The same flexibility is built into the selection of an appropriate Framework Implementation Tier. Again it is left to the organization to decide how rigorous the individually chosen Profile shall be implemented. That decision is assumed to be based on, you guessed it, business needs. Quote:

“Organizations should determine the desired Tier, ensuring that the selected level meets the organizational goals, is feasible to implement, and reduces cybersecurity risk to critical assets and resources to levels acceptable to the organization.”

So if management decides that implementing a high Tier is just not feasible, that’s ok with NIST. We can guess how feasibility will be determined in real life (hint: check your budget plan).

Let’s assume that after creating a Profile and a Tier, no matter how rudimentary and forgiving they may be, you still identify security gaps. No reason for the CFO to panic because identifying gaps doesn’t imply they would need to be fixed. Quote:

“Prioritization of gap mitigation is driven by the organization’s business needs and risk management processes. This risk-based approach enables an organization to gauge resource estimates (e.g., staffing, funding) to achieve cybersecurity goals in a cost-effective, prioritized manner.”

In other words, you may live with cyber security gaps if you don’t have the budget to mitigate them and if management thinks there are other business priorities.

Now you may still think an extreme stretch of the Framework wouldn’t work in practice because everything is tied to a risk management process. Unfortunately, the NIST CSF doesn’t provide any suggestions on how to calculate risk but leaves it to the organization to pick their method of choice. But at the end of the day even the specific method chosen doesn’t make a difference because NIST allows any organization to define their specific level of risk tolerance, based on, you guessed right again, business needs.

Let’s sum up the argument of this blog post. Applying the NIST CSF doesn’t lead to predictable, measurable, or even consistent effects in cyber security posture because its central parameters can be tuned by preference without any external reference or justification. The CSF allows anyone to a) pick those cyber security activities they prefer, b) pick the governance rigor they prefer, c) execute gap mitigation by preference and d) deliberately decide on ways to calculate risk and, more important, decide on risk tolerance. In essence this means that every organization can claim compliance with the NIST CSF without any changes to actual cyber security posture.

In the next part of this series we’ll discuss why this is bad news for critical infrastructure cyber security.