Locking in your framework

In the Spring of 2024, the National Institute of Standards and Technology (NIST) released the Cybersecurity Framework (CSF) 2.0. The updated comprehensive guideline provides a framework for organizations to manage and mitigate cybersecurity risks.

While many cybersecurity techniques are valuable to protect your digital systems, encryption serves as a fundamental tool to protect data, ensure confidentiality and support organizational resilience. Encryption bolsters multiple aspects of the NIST CSF, particularly through the
functions of protect, detect and respond. This essay will explore how encryption specifically contributes to the protection of assets, detection of threats and response to cyber incidents within the CSF framework.

The NIST CSF comprises six core functions that guide organizations in managing cybersecurity risks: Govern, Identify, Protect, Detect, Respond and Recover. These functions work together to form a comprehensive approach to cybersecurity, with each one focused on a different aspect of the risk management process. The framework is adaptable to organizations of all sizes and industries, providing a high degree of flexibility in how cybersecurity controls are implemented and maintained.

The Protect function of the NIST CSF aims to implement safeguards to protect an organization’s data, systems and services from threats and unauthorized access. The NIST SP 800–53, Rev. 5 emphasizes the importance of encryption for data protection in its SC-12 (Cryptographic Key Establishment and Management) and SC-13 (Cryptographic Protection) controls. These controls require organizations to implement cryptographic solutions to protect the confidentiality and integrity of information, whether it is in storage, during transmission, or in use. Moreover, SC-28 (Protection of Information at Rest) explicitly states that encryption should be applied to critical data to safeguard against unauthorized access. Encryption directly supports this function through several key activities:

1. Data Security (PR.DS)

The NIST CSF outlines the importance of protectingthe confidentiality, integrity and availability of data. Encryption ensures that sensitive data, whether at rest, in transit, or in use, remains secure from unauthorized access or tampering. For example:

– Data at-rest encryption: Protects stored data on servers, databases and devices from being accessed by unauthorized parties, ensuring that even if a breach occurs, the stolen data is unusable without the decryption key. According to NIST SP 800–53, control SC-28 mandates that organizations encrypt information at rest to maintain confidentiality and integrity. This aligns with CSF’s Protect function by ensuring that sensitive data can’t be easily accessed, even in the event of a breach.

– Data in-transit encryption: Encryption protocols such as Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protect data while it is transmitted over networks, preventing interception by malicious actors.

– Data in use encryption: Unlike traditional encryption technology, homomorphic encryption and other post-quantum encryption capabilities allow data to be encrypted even during processing, adding an extra layer of security in environments where sensitive data is frequently processed. Each unique data environment requires a different approach to protection, in which encryption is often an essential element. As an example, FIPS 140–3 provides the technical specifications for cryptographic modules used in securing data and communications. This is a mandatory standard for federal agencies and can be used by private organizations to demonstrate compliance with best practices. By ensuring encryption systems meet FIPS standards, an organization demonstrates adherence to recognized industry standards for cryptographic security, but this is also an example of specifically tailored approach to Protect given the risk tolerance and threat landscape for a given organization.

2. Identity Management, Authentication and Access Control (PR.AA)

Encryption also plays a crucial role in managing access to sensitive information and resources. Encryption keys are often used to secure authentication processes, ensuring that only users with authorized access can utilize data. Multi-factor authentication (MFA) and public key infrastructure (PKI) systems rely on encryption to verify the digital identities of users securely.

3. Platform Security (PR.PS)

Organizations use encryption to secure the hardware, software and services that make up the organization’s IT infrastructure. By encrypting communications between devices, and between users and platforms, the organization can prevent unauthorized commands and mitigate the risk of cyberattacks on its systems.

In addition to protecting data, encryption also plays a critical role in the detect function of the NIST CSF, which focuses on identifying cybersecurity threats in a timely manner. The use of encryption technologies facilitates several key detection activities:

1. Anomaly Detection (DE.AE)
Encrypted communications can sometimes provide indicators of compromise, such as unauthorized attempts to decrypt data or anomalies in encryption patterns. Monitoring encrypted traffic for signs of abnormal or unencrypted activity can help organizations detect breaches early. While encryption may seem to obscure data, it also creates opportunities for cybersecurity tools to identify abnormal patterns that indicate potential breaches or threats. By enabling the detection of suspicious activities, such as unauthorized attempts to decrypt data, which may indicate a potential compromise, we leverage NIST SP 800-94’s guidance on IDPS deployment in encrypted environments. Organizations can configure intrusion detection systems to monitor and flag unauthorized attempts to decrypt or tamper with encrypted data. This, in addition to continuous monitoring of encrypted communications and key management processes, provides early identification of potential cyber threats involving encryption.

2. Continuous Monitoring (DE.CM)
Encrypted data can be monitored using advanced tools that focus on detecting unauthorized decryption attempts or misuse of encryption keys. Continuous monitoring tools can detect unusual activities such as brute-force attacks aimed at cracking encrypted communications or improper key usage. According to NIST SP 800–137, continuous monitoring of encryption key activities and detecting unusual access patterns are essential for identifying potential breaches. This emphasizes the importance of anomaly detection in protecting sensitive information. NIST SP 800–92 recommends that logs include detailed records of encryption activities, such as failed decryption attempts or unauthorized key access. These logs play a critical role in the Detect function by enabling organizations to trace and respond to potential security incidents involving encrypted data.

When a cybersecurity incident occurs, encryption supports the respond function of the NIST CSF by helping organizations contain and mitigate the damage.Encryption is particularly useful in incident response activities, as it ensures that even if data is compromised, it remains unreadable and unusable by unauthorized parties.

1. Mitigation of Impact (RS.MI)
Encryption limits the damage of a data breach by ensuring that any stolen data remains inaccessible without the corresponding decryption keys. Even if malicious actors succeed in exfiltrating encrypted files, they are unable to use or sell the data without compromising the encryption, which is typically designed to be highly resistant to such efforts. In addition to encryption, organizations should follow the media sanitization guidelines outlined in NIST SP 800–88 to ensure that compromised data can’t be recovered. NIST SP 800–88 outlines best practices for data destruction and sanitization, ensuring that data remnants are securely erased from digital media and aligns with the Respond function of the CSF by further limiting the damage following a cybersecurity incident.

2. Communication and Reporting (RS.CO)
Encryption is essential in ensuring the confidentiality of communications during incident response. Organizations use encryption to securely communicate with internal teams, law enforcement and external stakeholders without risking further data exposure. Reporting systems also use encryption to transmit incident reports securely.

The Govern and Identify functions of the NIST CSF emphasize establishing a cybersecurity risk management strategy that includes encryption as a core control. NIST SP 800–37 outlines risk management practices that integrate encryption into the broader organizational governance process. Specifically, Task P-18 (risk assessment) encourages the identification of systems and data that require encryption to mitigate potential vulnerabilities. This is directly related to the CSF’s Govern and Identify functions, which call for embedding encryption as a core element in governance policies and risk management practices. Governance activities ensure that encryption policies are integrated into broader cybersecurity strategies, while risk management identifies which data and systems require encryption to mitigate potential threats.

Governance (GV)

In the context of Governance, encryption policies are developed and enforced to ensure compliance with legal, regulatory and contractual obligations. Organizations must manage encryption keys and use encryption technologies correctly. This is an important part of Governance that must be included in their overall risk management strategies. Effective encryption relies on secure key management practices. NIST SP 800–57 provides comprehensive guidelines for managing cryptographic keys throughout their lifecycle, including generation, distribution, storage and destruction. Ensuring secure key management is vital for preventing unauthorized access to sensitive information.

Risk management (ID)

Risk assessments must consider the role of encryption in protecting critical assets and data. Identifying which systems require encryption is crucial to ensuring that sensitive information is adequately protected against external and internal threats.

Encryption is a key enabler of the NIST Cybersecurity Framework, providing essential support for data security, access control, threat detection and incident response. By applying encryption consistently across the Protect, Detect and Respond functions, organizations can reduce their exposure to cyberattacks, ensure the confidentiality and integrity of their data and improve their overall cybersecurity resilience. Encryption is also important for managing Governance and risk. It helps organizations meet their cybersecurity obligations while protecting their most important assets. Ultimately, encryption serves as a fundamental technology that strengthens each component of the NIST CSF and contributes to an integrated cyber defense within your cyber environment.”