Commvault Announced Acquisition of Clumio
A long-awaited update to the classic NIST Cybersecurity Framework (CSF) has been released!
What’s changed you ask? A lot.
Most notably, there is a whole new, very important pillar called “Govern.” NIST has also added some new controls that many of us have had in our security programs for a while. We consider many of these controls to be the minimum, but up until this release they were not in the NIST CSF (for instance, incident communications).
There will be plenty of people sharing thoughts on the new 2.0 framework overall, so I’ll scope down this article to what you come to Clumio for: Backup and recovery.
I’ll start with the most important change. The Protect pillar category “information protection” which had noted the framework’s backup controls (PR.IP-4: Backups of information are conducted, maintained, and tested periodically) is now gone. The backup control subcategory now lies within the new to 2.0 “data security” category in the Protect pillar.
Let’s take a deep dive into the various pillars, and their controls around backup and recovery.
This new pillar governs all. It’s the eye of Sauron when it comes to the CSF.
The Govern pillar covers all the tasks that go into running enterprise risk and governance functions such as planning, reviewing, measuring success and more.
Outside of the controls that apply to everything, such as “policy” and “oversight,” there is a section dedicated to supply chain risk management that covers ensuring third parties can recover. The category is defined as such:
Cybersecurity Supply Chain Risk Management (GV.SC): Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders
Within this control category is the control “GV.SC-08 Relevant suppliers and other third parties are included in incident planning, response, and recovery activities.”
This means running a CSF 2.0-governed program would require asking questions about third-parties’ ability to recover during an IT incident or cyber attack. Many vendor questionnaire frameworks, including SIG, already include this but it’s a good time to revalidate your third-party process to evaluate vendors’ ability to recover and backup your data.
The Protect pillar was majorly overhauled. To me, among the best changes are the new “Infrastructure Resilience” and “Data Security” control categories. These changes highlight the importance of protecting, governing, and ensuring integrity of data, as its value and use has changed over time.
“Technology Infrastructure Resilience” is one of the core reasons why we perform backups. This control category description and its controls are as follows:
Technology Infrastructure Resilience (PR.IR): Security architectures are managed with the organization’s risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience.
These controls speak to the need to not only have immutable backups, but to store them in a separate security domain or as we say, virtually air gapped.
PR-IR-03 speaks to this specifically in the mention of resiliency requirements at work in adverse situations.
While the infrastructure resiliency control set broadly speaks to needing backups alongside the other elements of a resilient infrastructure, in the “protect data security” category there’s a specific control – PR.DS-11 – that calls out backups that are both maintained and tested. From CRF 2.0 directly:
Protect – Data Security
PR.DS-11: Backups of data are created, protected, maintained, and tested
While these changes may not make a material difference to the program that you’re running, from an audit perspective it clarifies the types of controls and protections that need to be in place under the new Protect pillar.
While I haven’t written about it extensively on the Clumio blog, incident response is one of my favorite parts of security, and where I spent the early part of my career.
The changes in CSF 2.0 are more like a reorganization than net new controls.
The notation of using information gathered during the analysis phase of an incident to inform and impact recovery activities remains the same in 2.0.
Under the analysis subcategory, the description calls out just like in 1.0 that analysis is used to create effective recovery activities.
Text from the CSF 2.0:
Incident Analysis (RS.AN): Investigations are conducted to ensure effective response and support forensics and recovery activities
Last but by no means least is the critical backstop to cybersecurity programs, the Recovery pillar. Recovery has changed slightly from the V1 publication. Notably, recovery improvements are no longer under the Recovery pillar, with the notion being that improvement is part of the overall governance structure that’s happening continuously across all pillars.
From a backup and recovery standpoint, the recovery planning subcategory notes that backups and other restoration assets should be verified before putting them back into production.
This is a new addition.
CSF Text:
RC.RP-03: The integrity of backups and other restoration assets is verified before using them for restoration
There are some significant changes to this 2.0 revision of the cyber security framework. This overhaul simplifies much of the language and adds some important control categories and subcategories that are needed to run an effective security program in today’s world.
From a backup and recovery perspective, it’s clear that NIST agrees a backup strategy needs to consist of many types of backups, including those that are outside your primary security domain. Also that backups are regularly tested and can ensure that an organization survives a cyber attack from both an uptime perspective and data integrity perspective.
Hopefully this insight helps you understand how to map your security program to the new NIST CSF 2.0 framework, and maybe even brings some new considerations that can make a positive impact to your IT and security programs.