| By Loc Le |
An Evolving Framework for an Evolving Threat
After its initial inception nearly a decade ago, the National Institute of Standards and Technology (NIST) has officially updated the globally recognized Cybersecurity Framework (CSF) for reducing cybersecurity risks. Published and announced via a blog post on February 26, 2024, the new update, dubbed as the CSF 2.0, directly builds on previous versions, supports the implementation of the National Cybersecurity Strategy, and incorporates years of discussions and public comments to make the framework more effective.
Expanded CSF Brings New Features and Functionality
According to the chief of NIST’s Applied Cybersecurity Division Kevin Stine, the CSF 2.0 “aims to make the framework even more relevant to a wider swath of users in the United States and abroad” and that it was “developed by working closely with stakeholders and reflecting the most recent cybersecurity challenges and management practices.” As a result, the CSF, which previously only targeted critical infrastructure organizations, has now been updated to help all types of organizations and industry sectors reduce cybersecurity risks, regardless of their size or degree of cybersecurity sophistication. Furthermore, and perhaps the most substantial change, the CSF now includes a new Govern function which expands on the original five core functions of Identify, Protect, Detect, Respond, and Recover. According to the NIST, the Govern function “emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation” and focuses on how organizations should establish, develop, and impose decisions regarding cybersecurity risk management strategies. Accordingly, it will cover organizational governance aspects including:
● Organizational Context (GV.OC): Understanding the ramifications of an organization’s cybersecurity risk management decisions.
● Risk Management Strategy (GV.RM): Operational risk decisions are supported by an organization’s “priorities, constraints, risk tolerance and appetite statements, and assumptions.”
● Roles, Responsibilities, and Authorities (GV.RR): Establishing and communicating the cybersecurity roles within an organization to “foster accountability, performance assessment, and continuous improvement.”
● Policy (GV.PO): Establishing, communicating, and enforcing organizational cybersecurity policy.
● Oversight (GV.OV): Risk management strategies within an organization are informed, improved, and adjusted based on cybersecurity risk management activity and performance results.
● Cybersecurity Supply Chain Risk Management (GV.SC): Organizational stakeholders identify, establish, manage, monitor, and improve cyber supply chain risk management processes.
Enhanced Resources: Tools and Guides for CSF 2.0 Implementation
In addition to expanding its core guidance, the CSF 2.0 introduces a “suite of resources that can be customized and used individually or in combination” to help organizations implement, enact, and update cybersecurity policies over time as needs and capabilities change. One such resource is the new CSF 2.0 Reference Tool which streamlines the CSF implementation process by “allowing users to browse, search and export data and details from the CSF’s core guidance in human-consumable and machine-readable formats.” Furthermore, the CSF 2.0 offers an informative reference catalog that enables organizations to map their current actions and cross-reference the CSF’s guidance with over 50 other cybersecurity documents. Moreover, the NIST has also created quick-start guides that are specifically designed for “small businesses, enterprise risk managers, and organizations seeking to secure their supply chains.” And for those seeking insights into how organizations have used the CSF to improve their cybersecurity risk management, success stories, implementation examples, and community profiles are now available as guidance resources.
A Vital Tool to Guide Global Partners
The release of the CSF 2.0 marks a significant and pivotal advancement in global cybersecurity efforts. With its expanded scope and comprehensive suite of resources, the updated framework empowers organizations of all sizes and sectors with valuable means to implement effective policies and strategies to mitigate cybersecurity risks. In a digital era where such risks are constantly evolving and threatening organizations, the CSF 2.0 emerges as a vital tool for ensuring a safer and more secure digital landscape.
