The event of the decade is here: The National Institute of Standards and Technology (NIST) has finally released the NIST Cybersecurity Framework (CSF) 2.0. The second version of the CSF aims to provide guidance on managing cybersecurity risks to government agencies, industry, and other organizations. Earlier versions of the CSF were focused toward organizations responsible for critical infrastructure. The update expands the CSF’s focus to all organizations, regardless of sector or size.
Kevin Stine, the chief of NIST’s Applied Cybersecurity Division, stated that CSF 2.0 was “Developed by working closely with stakeholders and reflecting the most recent cybersecurity challenges and management practices, this update aims to make the framework even more relevant to a wider swath of users in the United States and abroad.”
It’s important to note that this document doesn’t prescribe the specifics of how cybersecurity outcomes should be achieved because it’s a high-level framework. Instead, it links out to a range of other documents
What’s new in the CSF 2.0?
One of the key differences is that it introduces a new core function, govern. These core functions help us to organize high-level cybersecurity outcomes. The updated list of CSF core functions is:
- Govern – Governing is all about establishing, communicating and monitoring an organization’s cybersecurity risk management strategy.
- Identify – An organization’s assets, suppliers and risks need to be identified so that the organization can prioritize where it should expend its defense efforts.
- Protect – Protecting involves implementing safeguards that manage an organization’s cybersecurity risks.
- Detect – This core function involves looking for and analyzing anomalies, indicators of compromise, or other potentially adverse events that could be signs of an attack.
- Respond – When an incident is discovered, it needs to be responded to and contained. This can involve analysis, incident management, mitigation, reporting and communication.
- Recover – This core function involves restoring normal operations in a timely manner and limiting the effects of cybersecurity incidents.
Govern, identify, protect and detect should be ongoing at all times, while respond and recover need to be ready to go whenever an incident is detected. Together, these core functions help us manage cybersecurity risks throughout the lifecycle. Each core function is then further split up into categories and subcategories.
Cybersecurity supply chain risk management (SCRM)
The new CSF also has an expanded section on supply chain risk management (SCRM). SCRM is critical, because our supply chains are immensely complex, which opens the door to attackers if we do not vet our suppliers appropriately and manage the risks. Our SCRM program needs to be established and agreed upon by all stakeholders, with roles and responsibilities communicated to all relevant parties. The SCRM should be integrated as part of the organization’s overall risk management strategy. Not everyone is a fanatic about supply chains, so we won’t bore you with all the details, but if you’re curious, there are a few other updates on SCRM in the CSF, starting at the bottom of page 17.
