Skip to main content

Evaluating the NIST 2.0 Framework

· 7 min read
Betuel Gag

Abstract

On the 8th of August 2023 NIST (National Institute of Standards and Technology) released the public draft of the Cybersecurity Framework 2.0. The NIST draft publication indicates the impact of CMMC 2.0 regulations on US public and private institutions and beyond.

We inspect the changes, costs, benefits and steps to compliance based on NIST Cybersecurity Framework 2.0 updates from an academic perspective aiming at universities, research labs, public and private institutions, and similar profit & non-profit organizations.

Overview

The initial NIST Cybersecurity Framework (CSF) was released in 2014, addressing the IT, ICT, IoT, and OT fields within the industry, government, academia, and non-profit entities.

NIST publicly renamed the scope of the CSF 2.0 publication as " Improving Critical Infrastructure Cybersecurity", an indicator that the current changes are far more drastic than the previous five years.

What comprises the changes are its components: the Core, Implementation Tiers, and Profiles. New functions are updated in the NIST 2.0 framework: Govern, Identify, Protect, Detect, Respond, and Recover.

Academic Changes

The number of changes affecting the academic environments is not few due to the historical lack of awareness and unhealthy compliance practices dating back to 2014.

Until now, institutions effortlessly performed self-assessments and claimed their system compliant since the assessment was internal and solely based on human trust.

However, this practice will cease on the 4th of November, 2023 when the NIST CSF 2.0 feedback period will be closed. As a result, NIST 2.0 regulations will be actively applied requiring all institutions to adopt external audits for their cybersecurity systems performed by C3PAOs (CMMC Third Party Assessor Organization) with no connection, contract or relationship with the institution. Assessments will be purely objective, having enforced consequences. Any attempt to influence compliance for institutional gains will include fees of a minimum $200,000 per violation and 20 years in prison per violation for the individuals in charge of cybersecurity and R&D departments.

Cost of Compliance

The total cost to run an assessment for CMMC 2.0 compliance is at least $50,000 to $70,000. Due to this cost, institutions must ensure their system will pass the CMMC 2.0 assessment before requesting a C3PAO to perform the assessment.

Failing to perform an external assessment or to be CMMC 2.0 compliant will result in all institution's government grants being locked. Due to a lack of compliance, they will no longer be able to use any available funds for the institution's research and development.

This situation handcuffs the academic ability to pursue innovation and develop in-depth research projects.

No institution is exempted from the NIST 2.0 framework impact, and most universities and research labs are behind regarding CMMC 2.0 compliance.

  • They are unable to declare themselves CMMC 2.0 compliant.
  • They do not have a plan to achieve CMMC 2.0 compliance.
  • Their solution is patched with a cluster of multiple partial solutions that solve a tiny piece of NIST 2.0 Cybersecurity Framework.
  • They have never been accustomed to being externally evaluated by a C3PAO assessor.
  • They cannot measure the heavy consequences of not being CMMC 2.0 compliant.
  • They have no B plan in case their system is declared non-compliant.

Late Steps to Compliance

Most institutions run solutions that allow them to survive a "compliance storm" before another one hits. "Compliance storms" occur whenever a new requirement changes in the NIST regulations. It deeply affects the institution's processes and cyberinfrastructure since most are ACL-based.

Currently, institutions are actively looking for CMMC 2.0 solutions before 4th November 2023. It takes a minimum of several months to adopt a resolution to an existing system.

Outsourcing compliance to a vendor has never been harder considering the critical deadline.

The current steps to compliance must cover the following NIST regulations:

  • Hostile attacks, national disasters, structural failures, and human errors (NIST SP 800-53)
    • Problem: Perimeter defense, ACLs, and traditional security are not proven alternatives to CMMC 2.0 compliance. They imply patching the current infrastructure to make it temporarily compliant until a regulation change occurs.
    • Solution: PKC (Public Key Cryptography) solutions are a standalone tunnel unaffected by regulation changes where all data is always encrypted.
  • Performance Measurement Guide for Information Security (NIST SP 800-55)
    • Problem: "Policing" employees on security controls, policies, and procedures is exhausting and inefficient. Institutions cannot simply trust a group of 1000 individuals at all times. Despite the hardened policies, if one out of a thousand individuals leaks sensitive data, project investigators can only take partial action after the event already took place.
    • Solution: Look for a system that can automatically enforce policies in its mechanism so that no individual can mechanically cheat the institution's compliance policies.
  • NICE Workforce Framework for Cybersecurity (NIST SP 800-181r1)
    • Problem: Due to each institution's unique "taxonomy" challenges, each system admin has a unique style in developing code. An infrastructure that demands hiring an army of admins is cost-inefficient and obsolete in the long run.
    • Solution: Look for software that uses automation over the workforce without compromising security.
  • Integrating Cybersecurity and Enterprise Risk Management (NIST IR 8286)
    • Problem: A more centralized system infrastructure decreases security and increases social engineering attacks and admin impersonation.
    • Solution: Institutions should aim for a decentralized system, where the power is divided between admins and users so that no compromised admin account can take over the whole system.

Benefits of Compliance

The US government pays attention to CMMC 2.0-compliant institutions allowing them to use large government grants for research and development projects. The grant amount is usually between $500,000 to multiple million dollars depending on their financial spending history.

Additionally, CMMC 2.0-compliant institutions can tackle other competitive peers, quickly building their reputation in research and development due to their spending power.

The clever decision makers can take advantage of the current changes in the NIST 2.0 Framework by improving their system infrastructure before 4th November 2023.

tip

When institutions suffer compliance regulatory pressures, they historically look for alternative solutions externally.

Sourcing Compliance: Vendor Purchase Advice

Below is a list of significant assets institutions should look for in a CMMC 2.0-compliant solution:

  • The solution is a complete solution. There is no need to buy additional upgrades, patches, or a combination with other solutions to cover all security and compliance needs.
  • It uses PKC (Private Key Cryptography) both for the entry points and end points. It should not be ACL-based since the ACLs will result in the system being non-compliant and patched whenever a change in NIST framework takes place.
  • It must keep the data secure both in transit and at rest.
  • It is not solely cloud-based or local machine-based. A cloud-based solution keeps data secured only on the cloud, not the local machine. If the local machine gets stolen, so does its sensitive data.
  • It is not using passwords and email verification. Historically, the easiest way to compromise sensitive data is to entrust its access to an email provider.
  • The Solution is currently working in other similar institutions. Peers should be inquired about what they use and have the solution integrity verified.

Next, there are a few actions institutions want to avoid doing regarding CMMC 2.0 compliance:

  • Buying solutions that require them to add other patches to the initial purchase. Research teams want to avoid mixing software because of infrastructural failure and lack of compliance.
  • Expect to be fully CMMC 2.0 compliant if they use a solution that has not been externally audited by a C3PAO in the past two to three years.
  • Choose their vendors based on the market's clamor. Not doing their research thoughtfully.
info

Since you are here, you might want to evaluate tiCrypt, by checking the compliance whitepaper.