NIST and DHMS Officials Boost Data Security with the Evolution of CSF 2.0 and Push Toward Attribute-Based Access Control Amid the Rise of AI
In an era marked by an alarming increase in cyberattacks, particularly ransomware incidents such as Medusa and Van Helsing, federal leaders are compelled to rethink and evolve their cybersecurity strategies. At the recent GovCIO Media & Research CyberScape Summit in Bethesda, Maryland, officials from the National Institute of Standards and Technology (NIST) and the Defense Healthcare Management Systems (DHMS) emphasized the urgent need to secure non-human access points and transition from traditional role-based access control (RBAC) to a more dynamic attribute-based access control (ABAC) framework.
The Rising Threat Landscape
The surge in cyber threats has prompted agencies to reassess their security protocols. Chris Wallace, Chief of Cybersecurity at DHMS, highlighted the critical role of credentialing, access management, and user analytics in combating ransomware. “To protect the data, you have to have the data to see and work through all those problems,” Wallace stated, underscoring the importance of proactive measures in identifying and mitigating vulnerabilities before cybercriminals exploit them.
NIST’s CSF 2.0: A Governance Framework
A pivotal development in this landscape is the introduction of NIST’s Cybersecurity Framework (CSF) 2.0, which now includes a new “govern” function aimed at enhancing governance for data security. Cherilyn Pascoe, Director of the NIST Cybersecurity Center of Excellence, explained that this framework serves as a vital tool for agencies to assess, communicate, and prioritize their cybersecurity efforts. The emphasis on governance ensures that roles and responsibilities are clearly defined, particularly at the senior leadership level.
Pascoe noted, “Cybersecurity is a constant challenge, and there are many different priorities right now. We’re collectively harnessing all of the goodness from the cybersecurity community to help implement this framework.” This collaborative approach is essential in navigating the complexities of modern cybersecurity threats.
Transitioning to Attribute-Based Access Control
As agencies strive to enhance their security postures, the shift from RBAC to ABAC is gaining traction. Joel Krooswyk, GitLab Federal CTO, echoed the significance of CSF 2.0 in governing access management, particularly concerning application programming interfaces (APIs). He warned that the failure to secure APIs remains a critical vulnerability, as they are the primary means of accessing data.
Wallace emphasized that while human factors are crucial in access management, non-human access points like APIs often represent blind spots. The subtle anomalies that may indicate malicious activity require robust monitoring and analytical capabilities. “ABAC is probably the better way to go,” he argued, as it provides enhanced insights into potential insider threats and improves anomaly detection.
The Role of AI in Cybersecurity
The integration of artificial intelligence (AI) into cybersecurity practices is becoming increasingly vital. Wallace pointed out that while API configurations are still managed by humans, AI can significantly bolster data security. NIST is currently working on a community profile for AI as part of the CSF 2.0 update, aiming to ensure the secure use of AI while advancing its capabilities for cybersecurity.
Pascoe highlighted the importance of collaboration among industry, government, and academia in this endeavor. “There is a lot of work already being done in this space, and we don’t want to duplicate any of it,” she stated, emphasizing the need to connect existing resources.
Wallace cautioned against viewing AI as a singular solution, advocating for a “multimodal environment” that incorporates various functions to manage AI systems effectively. “You need to prepare for a multimodal environment,” he advised, recognizing the complexity of AI systems and the necessity for agencies to adapt their cybersecurity practices continually.
Navigating Complexity in AI Systems
Krooswyk further elaborated on the intricacies of AI systems, stressing the importance of understanding the multiple models and data sources involved. “You’re not using a single model; you’re not using a single interface system,” he noted, highlighting the challenges posed by public-private partnerships and cloud environments. Agencies must maintain visibility into the various engines, clouds, and models they utilize to ensure data security.
Continuous Improvement: The North Star of Cybersecurity
As the cybersecurity landscape evolves, the principle of continuous improvement embedded in CSF 2.0 serves as a guiding light for agencies. Pascoe articulated the necessity of ongoing vigilance, stating, “There is no such thing as, ‘Oh, I did cybersecurity today, and I’m done.’” The commitment to evolving cybersecurity efforts is paramount, as agencies learn from experiences and adapt to emerging threats.
In conclusion, the collaboration between NIST and DHMS officials marks a significant step toward enhancing data security in an increasingly complex cyber environment. By embracing the evolution of CSF 2.0 and transitioning to attribute-based access control, agencies can better protect sensitive data against the rising tide of cyber threats, ensuring a more secure future for all.