Security operations · 4 MIN READ · SHAD RAHMAN · DEC 6, 2023 · TAGS: Tech tools
The new Cybersecurity Framework (CSF) provides organizations with useful guidance and new tools in areas of governance, continuous improvement, and supply chain risk, as well as tools for strategic development and program evaluation.
TL;DR of what’s new in the NIST Cybersecurity Framework updates:
- Includes Enhanced Governance and Risk Management: NIST CSF 2.0 highlights executive leadership in cybersecurity and integrates it with overall risk management
- Introduces new Tiers and Profiles: tiers for maturity assessment and Profiles for customizing the framework to organizational needs
- Expands risk management guidance to emphasize entire supply chain ecosystem security: promotes ongoing risk assessment and adaptability, with a focus on third-party risk management
The National Institute of Standards and Technology (NIST) is preparing to release the long-awaited Cybersecurity Framework 2.0. The draft is out and NIST has made it available for review since August 2023. The deadline for public comment was November 6, so now NIST seems on track to hit its “early 2024” release target.
Many, if not most, security organizations are directly affected. Why? A soon-to-be-released study by the SANS Institute finds that nearly 74% of the organizations employing a security framework use NIST CSF—nearly double the figure of any other framework.
This chart shows the most popular frameworks used to assess security programs. The highest-ranking frameworks are NIST Cybersecurity Framework at 73.7%, followed by ISO 27001, NIST 800-37, and MITRE. General Data Protection Regulation (GDPR) ranks in the middle, alongside Cybersecurity Maturity Model Certification (C2M2), and HiTrust/HIPAA.
Many organizations have reviewed the draft and nearly 55% of SANS respondents say they’re either going to adopt v2.0 or have already begun implementing it based on framework drafts. More than 62% expect to have it operational within 12 months.
We thought it would be helpful if we took a few minutes to overview what’s new in this important update. Before we dive in, a few notes:
- The scope of the framework has expanded to include organizations of all sizes.
- If you’re in a regulated industry or have a more mature security program, the update probably won’t change much for you.
- If you’re in an unregulated industry, CSF 2.0 will help you evaluate your program and plan.
- CSF 2.0 will bring with it some new components (like Governance), the ability to tailor with Profiles, and measure progress with Tiers.
- If you’re wondering how you’ll operationalize CSF 2.0, it will prove useful for strategic planning, earning investment buy-in, and communicating program maturity up and out (but probably not down—it isn’t prescriptive enough for tactical development and daily operations).
What’s new in NIST CSF 2.0?
Governance
CSF 2.0 will add significant detail on the importance of executive leadership’s involvement in governance, including the establishment of a cybersecurity risk management program.
It encourages organizations to establish clear lines of communication and collaboration between senior management and cybersecurity staff. Additionally, CSF 2.0 places a stronger emphasis on integrating cybersecurity into an organization’s overall risk management processes. It highlights the need for a risk management framework that aligns with the organization’s objectives and accounts not only for security risks but also broader business risks.
By incorporating these principles, NIST CSF 2.0 integrates with the strategic decision-making processes.
Tiers
The updated security framework introduces a more dynamic way to assess and communicate cybersecurity posture and promotes a more structured and scalable implementation of practices based on risk management maturity.
The Tiers framework establishes four maturity and readiness categories: Partial, Risk-Informed, Repeatable, and Adaptive. This structure allows organizations to self-assess where they currently stand and where they aspire to be, helping them set clear, achievable goals for their programs. It encourages a more tailored and risk-focused approach to security by stressing that one size doesn’t fit all when it comes to security best practices.
Profiles
NIST CSF 2.0 also introduces Profiles, a concept which affords a more tailored and efficient cybersecurity strategy by helping organizations customize the framework to their specific technical and business requirements, risk tolerance, and available resources.
Profiles provide organizations with a more practical and adaptable tool for fine-tuning their cybersecurity approach and aligning it to their unique context and compliance footing. They serve as a bridge between current cybersecurity posture and desired state, defining a roadmap for improvement and guiding prioritization of cybersecurity activities.
Continuous improvement
The framework expands on the risk identification process for continuous identification and assessment of cybersecurity risks, including the integration of risk management into business processes and decision-making to drive ongoing improvement.
Since the cybersecurity landscape is innately volatile, CSF 2.0 encourages agility and adaptiveness. It advocates for an iterative cycle of assessment, planning, implementation, and monitoring. It prompts regular review and refinement of security strategies, accounting for the dynamic nature of threats, vulnerabilities, and technological advancements.
This focus on continuous improvement emphasizes that security isn’t a one-time effort but an ongoing process. By promoting a culture of learning and adaptability, NIST CSF 2.0 will ensure organizations remain effective and resilient in the face of rapidly evolving threats and challenges.
Supply chain risk
NIST CSF 2.0 expands risk management guidance to emphasize the security of the entire supply chain ecosystem.
The updated framework provides organizations with guidance on identifying, assessing, and mitigating risks associated with third parties and encourages proactively managing supply chain risk by integrating it into an organization’s overall risk management processes. This includes assessing supplier practices and ensuring that contractual agreements include clearly articulated security requirements and expectations. With the increasing interconnectedness of global supply chains and the potential for vulnerabilities to propagate through them, CSF 2.0 equips organizations with tools and best practices to better safeguard their supply chain, ultimately enhancing cybersecurity footing.
Stay tuned
Watch this space. In the coming weeks and months, we’ll be providing more detail on how your organization can make best use of CSF 2.0. Specifics will include:
- Getting started with the NIST Cybersecurity Framework
- An updated NIST CSF self-assessment tool to track your progress
- Comparisons of the NIST framework vs. the ISO and CIS frameworks, highlighting the advantages of NIST
You can also take this time to get familiar with what’s included in NIST CSF 1.1 and understand the other areas this important framework addresses (in addition to what we’ve outlined above as coming in 2.0).
In the meantime, if you have questions or comments, we’re happy to speak with you and your team.