The latest version of the National Institute of Standards and Technology (NIST) Cybersecurity Framework is more widely applicable than previous versions and includes more elements that will help business owners manage cybersecurity risk.
What's New in the Updated NIST Cybersecurity Framework?
Recently, the Department of Commerce’s National Institute of Standards and Technology (NIST) released Version 2.0 of its Cybersecurity Framework (the CSF).
Version 1.0 was released in February 2014, with the intention of helping critical infrastructure organizations understand how to manage cybersecurity risk. Previously, companies were operating with CSF Version 1.1, published in 2018.
The framework provides a shared language and method for addressing cybersecurity risks in a systematic way. NIST believes the CSF is “extremely versatile” and can be used by organizations in different industries, no matter their size or age. The CSF has been well-lauded by several associations, including groups in academia, government, information technology, and even internationally.
The Framework has been updated to match the new developments in the cybersecurity field and to be more applicable to any organization across all sectors.
One of the more obvious changes, changing the title from “Framework for Improving Critical Infrastructure Cybersecurity” to “The NIST Cybersecurity Framework”, reflects the new expanded audience: Prior versions were intended solely for critical infrastructure organizations; Version 2.0 is meant to provide guidance to business of all industries and sizes.
The new framework has some remarkable differences from previous versions. Version 2.0 of the CSF includes references to updated resources, like the NIST Privacy Framework and the Artificial Intelligence Risk Management Framework, among others. NIST also plans to release an online tool on their website to hold the CSF Core (which includes common cybersecurity tasks, results, and helpful information for all important sectors) so that it’s readable by both humans and machines.
These changes to the CSF reflect the dramatic shift in the cybersecurity landscape since 2018. For articles from Digital Asset Redemption on some of the other recent changes in Federal Government policy, go here.
What are the Key Components of the CSF?
In older iterations of the framework, there were five main functions for a successful cybersecurity strategy: Identify, Protect, Detect, Respond, and Recover.
The Identify (ID) function was the first step in the construction of a strategy, and included understanding what risks the company had and what cybersecurity policies were already in place.
Protect (PR) refers to preventing damage from the discovered cyber risks, which may include keeping data secure, training employees in security, and monitoring access control to important information.
The Detect (DE) function is about promptly spotting and understanding any unusual activities or signs of a breach that may show that the organization is being targeted by cyber threats.
The Respond (RS) function naturally follows the detection of a cyber incident, and includes reporting, which has become an important requirement for both CISA and the SEC.
The last function was Recover (RC), which includes restoring what was lost, communicating with involved parties, and returning to operations while preventing any other cyber incidents.
The new framework introduces an additional function: Govern (GV). This new function is centered on setting up and keeping track of the company's plan, goals, and rules for handling cybersecurity risks. This may involve arranging a system of different roles for management and oversight of the designated plan. The framework offers more advice on integrating the risk management that is part of the company’s strategy with the NIST Privacy Framework.
How Can the CSF v2.0 Guide be Implemented and What are its Future Prospects?
The new framework has more information about how to implement the CSF, with examples of different Processes to achieve the subcategories on the Framework. It also expands on how to create and use Profiles, which are organization-centered collections of their specific cybersecurity requirements, resources, and their risk appetite. Templates are also included, and can be adapted for the creation of Profiles and action plans.
CSF Version 2.0 also has an increased focus on cybersecurity supply chain risk management, which appears as a new category under the Govern function as “GV.RM”. More content has been updated to include the most recent guidelines from NIST (National Institute of Standards and Technology) on managing cybersecurity risks in the supply chain and developing secure software.
Finally, the new CSF includes some clarifications on cybersecurity measurement and assessment that relate to some of the concerns voiced in their February 2022 request for information. There is still an opportunity to share concerns about the draft, as the NIST has requested recommendations on improving the updated CSF to be turned in before a November 4 deadline.
NIST provides detailed information on how businesses can upgrade their cybersecurity posture, all of which is easily accessible and affordable. While the new CSF is not yet finalized, it isn’t difficult to foresee what possible benefits this update brings for entities that CISA refers to as “cyber poor”: The Federal Government is clearly establishing itself as a resource for all US companies and organizations hoping to improve our nation’s cyber defenses. This updated CSF may serve as the new baseline defense for cyber security.
This post is part of DAR's "Federal Fridays" series. Be sure to follow DAR on LinkedIn for the latest updates!