NIST-CSF 2.0 – A Namibian Pipedream or Reality?

Opinion Piece, by Tyrone Nashandi

The National Institute of Standards and Technology (NIST) has made significant changes to its popular Cybersecurity Framework (NIST-CSF). That will leave organizations mulling over how this affects their cybersecurity programs. More specifically, my favorite – the new “Govern” function.

As a result, organizations having tirelessly identified gaps, may have to reanalyze their existing assessments and remediation activities to dissect the impact of the framework changes. Given that, new program gaps may emerge, especially with respect to cybersecurity governance and supply chain risk management. This follows the original CSF, nearly 10 years without updates, provided guidance to American industries critical to national and economic security. However, the latest version immensely expands on that vision to create a framework for any organization with ambitions to improve the maturity and posture of its information security to an industry leading standard. Crucially, the NIST-CSF is not just a document but a collection of resources that organizations can use to apply the framework to their specific environment and requirements. For example, the organizational and community profiles, provide a structured foundation for companies and organizations to examine – reexamine – their cybersecurity requirements, assets and controls.

Evaluating the existing cybersecurity posture in Namibia, one can ascertain that our progress, though in early stages, is commendably enlightened. To be exact, the proposal of a Data Protection Bill and National Cybersecurity Incident Response Team (NCIRT) from The Ministry

of Information and Communication Technology (MICT) are crucial steps in their ‘pillars’ for a robust Cyber-Awareness vision for 2030.

Furthermore, collaborative information sharing, fostered by the MICT has been instrumental in promoting transparency and public engagement. Notably, the recently proposed draft [Bill], was made accessible for public feedback. Especially, given the growing dependance on digital services it goes without saying: proactively emphasizing data protection and privacy is incredibly essential for effective governance in the modern information age.

However, public opinion has not been entirely positive. Frederico Links, a research associate at the Institute of Public Policy Research, expressed concerns that “protecting individuals’ fundamental rights, freedoms, and privacy are treated as secondary considerations by the Namibian government compared to the collection, storage, and processing of communication data under the veil of ‘national security’ secrecy.” His concerns stemmed from the mandated biometric SIM registration campaign implemented by MTC, the state-owned telecommunications provider with a 91% market share.

Such concerns raise questions not only about the efficacy of the proposed draft [Bill] but fundamentally, the democratic governance of the state itself. While MTC’s chief human capital and corporate affairs officer, Tim Ekandjo, argues, that the mandate adheres to the EU’s General Data Protection Regulation (GDPR) standards, The telecommunications giant, unlike the legislation, fails to address “the right to be forgotten” or opt-out provision, which grants individuals the right to withdraw their consent at any time.

Consequently, clarity should be brought to bear on this matter, ideally by the future incumbent Data Protection Supervisory Authority, whose establishment has been mentioned in the draft [Bill]. Until then, the prospect of efficiently adopting a governance, risk and compliance standard the likes of NIST on a governmental scale, remains unrealistic.

As robust privacy laws and data protection policies still need to be enacted. Namibia remains lagging with data transparency compared to the European legislations its industry leaders are heralding.