Attendee Info & Inquiries
The Engine Behind Robust Identity Protection: Leveraging NIST CSF 2.0
The U.S. National Institute of Standards and Technology’s update for the Cybersecurity Framework (the CSF 2.0) is now available. This guidance updates the first CSF and represents years of new experiences in the field of cybersecurity… and identity. Identity management, authentication, and access control are a critical part of the Protect function of the revised framework.
What is the CSF 2.0
Let’s take a step back and put the CSF into context.
The CSF was initially published in 2014 and was a huge milestone in providing a formal structure for managing the risks that come with being an organization in a very digital age. The CSF was updated in 2018, and while it was a minor update, it did change “Access Control” to something more: “Identity Management, Authentication and Access Control. “ Then came 2022 when NIST kicked off the effort to really dig into the framework and develop the CSF 2.0.
Credit: Kristina Rigopoulos; Source https://www.nist.gov/image/csf-20-timeline
The primary audience for the CSF are those individuals responsible for developing and leading cybersecurity programs. That said, the framework is also helpful to anyone in an organization involved in managing risk, be they executives, technology professionals, risk managers, lawyers, human resources specialists, or auditors. Essentially, this is for anyone developing and implementing a cybersecurity program and its associated policies.
This includes identity professionals, as emphasized by the inclusion of identity as a critical aspect of the framework.
The CSF and Identity
The core functions of the CSF 2.0 organize the expected outcomes of a cybersecurity program. They are:
- Govern — The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.
- Identify — The organization’s current cybersecurity risks are understood.
- Protect — Safeguards to manage the organization’s cybersecurity risks are used.
- Detect — Possible cybersecurity attacks and compromises are found and analyzed.
- Respond — Actions regarding a detected cybersecurity incident are taken.
- Recover — Assets and operations affected by a cybersecurity incident are restored.
Where does IAM fit in? Squarely in the middle of the framework, under Protect.
A cybersecurity program is not complete unless the organization has a handle on who their users (including non-human accounts and services) are and what they are entitled—and authorized—to do. Validating and proofing those identities is not a one-size-fits-all activity but must be appropriate to the asset being protected. Practitioners should also be mindful of other regulatory, legislative, and business requirements that may impact on if, when, and how to carry out identity proofing. Everyone and everything is authenticated, and words like least privilege and separation of duties are core to the responsibilities. The framework makes this clear; for guidance on how to make these things happen, NIST provides even more materials to help apply your program to your organization’s operations.
(Want to know more about what one large organization did to apply NIST 800-63-3 Digital Identity Guidelines to their programs? Come see the session “Lessons learned from the world’s largest deployment of NIST high-assurance credentials” with Wes Turbeville (ID.me) and Angela Gartland (IRS) at Identiverse 2024!)
How to Make the CSF Work for You
The phrase “Your Mileage May Vary” applies as well to developing a cybersecurity program as to the engine of your automobile. A large-scale enterprise, for example, has very different considerations from a small-to-medium business. Fortunately, the people at NIST understand that and have developed a wealth of supporting material, including profiles that you can download based on what is likely to apply to your situation.
Ready to learn more? Come to Identiverse 2024 where we will cover topics relevant to applying the CSF 2.0 to your environment! From topics on Identity Infrastructure to Identity Security and Identity Data, there will be a wealth of material for you to learn and take back with you to your organizations
