This article explores the updates made to the NIST Cybersecurity Framework, also referred to as CSF 2.0. These updates aim to tackle the constantly evolving cybersecurity landscape. The article provides an overview of the newly introduced ‘Govern’ function, the expanded scope of the framework, the improved guidance, and the integration of the framework with other technology frameworks.
A Practical Update for Evolving Landscape
The cybersecurity landscape is in a constant state of flux, and as a result, the tools and frameworks used to navigate it must evolve as well. Recently, the National Institute of Standards and Technology (NIST) announced a significant update to its widely-used Cybersecurity Framework. Since its initial release in 2014, the NIST Cybersecurity Framework has been an indispensable tool for organisations worldwide, with over two million downloads and utilisation in more than 185 countries.
This new update, referred to as CSF 2.0, marks the framework’s first complete overhaul, reflecting the changes in the cybersecurity landscape and aiming to make the framework more practical for all organisations.
A New Function: Govern
CSF 2.0 brings a significant addition to the framework in the form of a sixth function – the ‘Govern’ function. This new function underscores the fact that cybersecurity is not just a technical aspect but also a significant source of enterprise risk that requires the attention of senior leadership.
The six primary functions of the framework now include:
- Identify: Understand the risks to systems, assets, data, and capabilities of your organisation.
- Protect: Implement safeguards to ensure the delivery of services.
- Detect: Recognise the occurrence of a cybersecurity event.
- Respond: Take action upon detecting a cybersecurity event.
- Recover: Maintain resilience plans and restore any capabilities or services that have been impaired due to a cybersecurity event.
- Govern: Make and execute internal decisions to support the cybersecurity strategy, acknowledging cybersecurity as a major enterprise risk.
INTEGRATING GOVERN INTO YOUR CYBER SECURITY STRATEGY
In our previous blog, we outlined how to use the NIST framework to create your cyber security strategy. Here we will look out how to update your strategy in line with the new proposed pillar.
The first step in integrating the new ‘Govern’ function is to establish clear roles within your organisation, including defining who among senior leadership will be accountable for cybersecurity decision-making.
Once these roles are defined, the next step is to develop a comprehensive cybersecurity strategy outlining the organisation’s overall approach to managing cyber risks. This strategy should align with identified risks and assets, as defined in the ‘Identify’ function.
As part of the strategy, integrate cyber risks into overall enterprise risk management, considering them alongside other organisational risks. Additionally, implement cyber supply chain risk management policies to assess and monitor third-party provider risks.
The strategy should be continuously reviewed and updated to address evolving threats and business needs. Organisational leaders should be involved in overseeing and regularly assessing the effectiveness of the cyber risk program, enhancing it based on those assessments.
In general, the ‘Govern’ function enables a holistic approach to cybersecurity management across the organisation in collaboration with the other CSF functions. It elevates cybersecurity as an enterprise-wide priority requiring governance and direction from senior leadership.
Broadened Scope and Improved Guidance
The CSF 2.0 broadens its scope beyond critical infrastructure sectors to encompass all organisations, regardless of size or type. This expansion shows the increasing relevance of cybersecurity across sectors, from small businesses to local and foreign governments.
The draft also provides expanded guidance for creating profiles, tailoring the framework to specific sectors, situations, and use cases. It includes implementation examples for each function’s subcategories, particularly assisting smaller firms to understand and apply the framework effectively.
Integrating Other Technology Frameworks
One of the key objectives of the CSF 2.0 update is to guide organisations on leveraging other technology frameworks, standards, and guidelines while implementing the CSF. To assist this, the CSF 2.0 Reference Tool has been launched, an online resource allowing users to browse, search, and export the CSF Core data in both human-readable and machine-readable formats.
The Road Ahead
NIST is accepting public comment on the CSF 2.0 draft until November 4, 2023, with plans to publish the final version in early 2024. This is a unique opportunity for organisations to contribute their insights and suggestions.
The NIST Cybersecurity Framework continues to evolve and adapt, staying relevant, flexible, and effective in managing cybersecurity risk for all organisations in the changing cybersecurity landscape.
Work With RiverSafe
RiverSafe specialises in providing expert consultancy services to help you manage your assets and mitigate potential threats. Our team of experts can assist you in developing and implementing a comprehensive cyber security strategy tailored to your specific needs. To learn more about how we can help you, click here to request a free consultation.