The National Institute of Standards and Technologies (NIST) is currently engaged in the development of version 2 of their Cyber Security Framework (CSF). At the moment of this writing a Discussion Draft of the NIST CSF 2.0 Core document has been developed and a request for comments has been initiated. This article will explore and comment on the most important changes proposed for this new version of the widely adopted framework.
Expanding the Reach: NIST CSF 2.0 Becomes a general framework for all industries and countries
At its inception, NIST CSF was built with critical infrastructure industries in mind. But the wide adoption of the framework across all industries and countries will be reflected in the new version of the CSF, with changes to the language used and broadening its focus to be of use as a general framework that could be utilized no matter the industry, size, or location of the organization.
Practical Implementation Examples: A Key Addition
A widely requested feature during the RFI phase of the new version’s development was implementation examples. CSF 2.0 will include “Core Implementation Examples” for each of its subcategories. These examples aim to offer practical implementation illustrations of concise, action-oriented measures that aid in accomplishing the objectives outlined.
Emphasizing Governance: Introducing the Govern Function
Version 2.0 of the NIST CSF includes an increased focus on governance with the creation of the new Govern Function, which will include requirements related to documentation (policies and procedures), roles and responsibilities (which was previously sprinkled throughout the different categories), risk management strategy and organizational context. This change reflects current trends in how Cybersecurity Governance is viewed and implemented, as a lateral effort that encompasses high level directives for the other security capabilities.
Addressing Supply Chain Risk: Enhancements
Supply chain risk is also an increasing concern for all industries and NIST CSF 2.0 will reflect that with changes to the Supply Chain Risk Management category. The changes aim to align third party risk management and access management with the overall strategy of the organization. The requirement of a Supplier termination and transition process with security considerations is also a welcomed addition as it closes a common gap in the supply chain process.
Revamped Recover and Respond Functions: Streamlined Incident Management
The last changes we want to highlight are revamped Recover and Respond functions. With Incident management practices at their core, the subcategories are more specific, use standard terminology and follow a typical Incident management lifecycle. This greatly improves the readability and usability during assessments as it resembles common practices that are typically implemented across the board.
NIST’s increased focus on international and multi-industry collaboration is helping shape the new version of the framework as an even better tool to assess and understand cybersecurity postures across any kind of organization.
Summary
NIST-CSF has been proven to be a strong framework to build a comprehensive strategy and is well-designed to support concise risk-based roadmaps that can be easily communicated to the BOD and key Senior Executives.
At MAKINSIGHTS, we have helped several organizations leverage a NIST-centric risk and control maturity methodology as a cornerstone of their Information Security program, identified key functional and technological areas for immediate emphasis, and assisted in the evolution of key Cybersecurity and InfoSec service enhancement efforts.
Please feel welcome to book a consultation with us via ideas@makinsights.com or through calendly HERE.
Image from https://www.nist.gov/cyberframework/updating-nist-cybersecurity-framework-journey-csf-20
Schedule a complementary conversation now!
Implementing FAIR's ontology perspective is a proactive step towards building a resilient and secure digital ecosystem.
Contact us