The U.S. National Institute of Standards and Technology (NIST) has released its initial public draft of NIST SP 1331 ipd – Quick-Start Guide for Using CSF 2.0 to Improve Management of Emerging Cybersecurity Risks. The draft focuses on how organizations can strengthen their ability to anticipate and manage emerging cyber threats by leveraging established risk management practices alongside the NIST Cybersecurity Framework (CSF) 2.0. It also underscores the need to align these practices with enterprise risk management (ERM), enabling organizations to address potential risks proactively rather than reactively.
The publication is the latest in a series of CSF 2.0 quick-start guides introduced since Feb. 26, 2024, offering tailored pathways for different audiences and making the Framework easier to apply in practice. The comment period is open through September 21 this year, and stakeholders are invited to provide their feedback on this draft publication.
The document aims to demonstrate how organizations can prepare for unknown risks through risk planning with CSF 2.0. NIST is also seeking feedback on this document, particularly on how it distinguishes between risk response and risk strategies, as well as on the broader use of the terms ‘emerging risk’ and ‘emergent risk’ within the cybersecurity community and related fields.
Given the potential difference in definition, the implementation of risk management activities may be different. NIST is interested in how these terms are defined and differentiated across different organizations and disciplines, including any distinctions made between the two, if at all. For simplicity, NIST is using ‘emerging risk’ as the basis of the guidance. The NIST SP 1331 outlines that as technologies have increased both in complexity and in the number and nature of their interdependencies with other technologies, their risks have become more difficult to manage.
Organizations are not aware, and cannot be aware, of some of the cybersecurity risks they face. There are two types of these risks, better known as emerging risks. Emerging risks that are unknown to some organizations and known to others. These are largely well-understood risks, including ransomware, distributed denial of service, and phishing, which some organizations simply do not know about yet. While these risks evolve due to outside factors such as new technology, environmental, and regulatory changes, there are known, well-documented mitigations to these risks.
An organization that has not identified these risks may incur a large-scale impact if one of these risks is realized. Organizations that bolster their risk identification techniques are likely to be aware of more emerging risks.
Emerging risks that are unknown to all organizations. These risks have never been seen before. There are no documented risk mitigations, avoidance strategies, or transfer opportunities. At any time, one of these risks may simply be realized, and organizations will be left to their own processes and procedures to handle it.
The NIST SP 1331 highlighted that many of today’s technologies are part of a ‘system-of-systems,’ defined as a system whose elements are themselves systems. These heterogeneous, distributed systems often combine information technology (IT), operational technology (OT), and Internet of Things (IoT) capabilities. Advances in machine learning (ML) and artificial intelligence (AI) have made them more adaptable, but also less predictable.
Addressing these challenges requires a multidisciplinary approach. Organizations should bring together different disciplines and domains when identifying, analyzing, evaluating, prioritizing, and responding to emerging risks. NIST offers a range of resources to help organizations strengthen traditional cybersecurity risk management with these broader practices.
The NIST SP 1331 recognizes that there are two distinct phases for managing emerging cybersecurity risks prior to such a risk being realized, and after. This delineation between proactive and reactive steps can be organized by the NIST Cybersecurity Framework (CSF) 2.0 functions. The Govern, Identify, and Protect functions are mostly used to manage risks before they are realized, and the Detect, Respond, and Recover functions are mostly used to manage risks after they are realized.
Further, the Improvement category, found in the Identify function, is used to direct lessons learned after the risk is realized. These improvement activities prepare organizations to react to the risk and drive the next iteration of the cycle. Lessons learned from performing all activities in all functions are fed into Improvement, and those lessons are analyzed, prioritized, and used to inform all functions.
“Organizations can better manage their emerging risks by expanding their organizational view of threats, methods of compromise, and vulnerabilities by adding new disciplines, domains, and stakeholders to risk identification activities,” the NIST SP 1331 document detailed. “Concurrently, organizations should elevate executive-level attention on formal risk treatment. This includes establishing a robust governance structure that aligns with clear business objectives, defining supporting processes, formalizing risk management strategies, and assigning accountability for risk decisions.”
Unexpected behaviors are difficult to plan for and react to quickly. The consequences of realized emerging risks can spread instantly, making containment in the moment extremely difficult. Planning for emerging risk is conducted by adequately accounting for these systems and dependencies in governance and management capabilities, as well as ensuring effective safeguards are in place to limit the impact and prevent the cascading effect of emerging behaviors that lead to mission disruption.
The NIST SP 1331 identified that an organization’s quick reaction to execute detection, response, and recovery activities can also help to minimize the disruption. Preparing for the realization of emerging risks requires organizational resilience and adaptability. The realization of emerging risks requires system-level risk mitigation, as well as organizational processes to mitigate their impact.
Last week, the NIST warned that transit agencies face mounting cybersecurity risks that threaten the delivery of safe and reliable services. In response, the agency has released a white paper outlining the preliminary content of a Transit Cybersecurity Framework (CSF) Community Profile, which takes a mission-driven approach to identifying practical cybersecurity outcomes tailored to the sector’s unique challenges.