Contents:
The popular Cybersecurity Framework (CSF), a seminal guideline paper from the National Institute of Standards and Technology (NIST) for lowering cybersecurity risk, has been updated. Regardless of the level of cybersecurity competence, the new 2.0 edition is intended for all audiences, industry sectors, and organization types, from the tiniest organizations and schools to the biggest agencies and enterprises.
Taking into consideration the feedback received on the draft of the CSF 2.0, the agency expanded its core guidance and created additional resources to help organizations use the framework at its full potential.
The CSF has been a vital tool for many organizations, helping them anticipate the deal with cybersecurity threats… CSF 2.0 is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve.
Laurie E. Locascio, NIST Director & Under Secretary of Commerce for Standards and Technology
A New Function Added: Govern
Probably the most significant structural change to the framework is the addition of a sixth function, Govern, to the existing five: Identify, Protect, Detect, Respond, and Recover.
The Govern function presents “outcomes,” or desirable states, to guide an organization’s actions to prioritize and attain the results of the other five functions. This helps organizations integrate cybersecurity risk management into larger enterprise risk management programs.
Source: NIST
The purpose of the new Govern category is to elevate all cybersecurity risk management initiatives to the C-suite and board levels of business.
Developed by working closely with stakeholders and reflecting the most recent cybersecurity challenges and management practices, this update aims to make the framework even more relevant to a wider swath of users in the United States and abroad,
Kevin Stine, Chief of NIST’s Applied Cybersecurity Division
The New Role of the Supply Chain
The supply chain risk management outcomes found in CSF 1.1 are also expanded upon and incorporated into CSF 2.0, with the majority of these falling under the Govern function. Given “the complex and interconnected relationships in this ecosystem, supply chain risk management (SCRM) is critical for organizations,” according to the 2.0 framework.
New Resources: Learn From Others, Quick Start Guides, Searchable Catalog
In anticipation that organizations will come to CSF with varying needs and degrees of experience in implementing cybersecurity tools, the new framework puts more resources at the disposal of users.
New adopters will be able to learn from other users’ success stories and select their topic of interest from a new set of implementation examples.
Quick-start guides designed for specific types of users, such as small businesses, enterprise risk managers, and other organizations seeking to secure their supply chains will also be accessible as resources.
NIST CSF 2.0 Resources (Source)
Organisations may now apply the CSF more easily thanks to a new CSF 2.0 Reference Tool, which makes it possible to browse, search, and export information from the basic guidelines of the CSF in formats that are both machine- and human-readable.
Additionally, the CSF 2.0 offers a searchable catalog of resources that shows how their current actions map onto the CSF. With the help of this catalog, an organization can compare the CSF’s recommendations with over fifty additional cybersecurity publications, many of which are from NIST. One such document is SP 800-53 Rev. 5, which is a list of tools, or controls, for attaining particular cybersecurity goals.
Better interaction with other popular NIST resources covering enterprise risk management, enterprise risk management programs, and ICT risk management is part of CSF 2.0. These resources consist of:
- SP 800-221, Enterprise Impact of Information and Communications Technology Risk: Governing and Managing ICT Risk Programs Within an Enterprise Risk Portfolio
- SP 800-221A, Information and Communications Technology (ICT) Risk Outcomes: Integrating ICT Risk Management Programs with the Enterprise Risk Portfolio
- SP 800-37, Risk Management Framework for Information Systems and Organizations
- SP 800-30, and Guide for Conducting Risk Assessments from the NIST Risk Management Framework (RMF)
NIST plans on continuing to enhance its resources and making the CSF an even more helpful resource to a broader set of users. They consider the community’s feedback as being crucial in the development of CSF 2.0.
As users customize the CSF, we hope they will share their examples and successes because that will allow us to amplify their experiences and help others… That will help organizations, sectors, and even entire nations better understand and manage their cybersecurity risk.
Kevin Stine, Chief of NIST’s Applied Cybersecurity Division
Heimdal®‘s services, products, and solutions are perfectly aligned with NIST’s requirements, offering support for critical infrastructure blueprinting, management, and creation.
If you liked this piece, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.