The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) was published in 2014 for the purpose of providing cybersecurity guidance for organizations in critical infrastructure. In the intervening years, much has changed about the threat landscape, the kinds of technology that organizations use, and the ways that operational technology (OT) and information technology (IT) work and interact.
In an effort to update NIST CSF for a broader and more current audience, the agency has finalized and released CSF 2.0, the first major change to the CSF. There are extensive changes between CSF 1.1 and CSF 2.0, including a fundamental shift in what the tool has the ability to do. The key changes outlined in CSF 2.0 are explored below.
Expanded Scope
Possibly the biggest difference in CSF 2.0 is its area of focus. While NIST CSF was originally designed for the benefit of security in OT specifically, the updated version is aimed at all organizations across all industries. Rather than focusing solely on critical infrastructure, this new scope allows the framework to reach and guide more people than ever before.
The CSF 2.0 is the first major update to the framework, but not the first update altogether. Version 1.1 of the CSF, released to the public in 2018, built on the established framework by including additional guidance in several areas, including authentication and identity, self-assessments for cybersecurity risk, mitigation of supply chain threats, and vulnerability disclosure. This update served as an enhancement to the CSF, clarifying and refining certain areas to improve efficacy.
By expanding the scope of the CSF to include organizations across all sectors and industries, CSF 2.0 changes the guide a lot more. It makes room for organizations “with varying needs and degrees of experience implementing cybersecurity tools,” enabling new adopters to bolster their security posture starting from wherever it currently stands. This means that CSF 2.0 is designed to help not only organizations across all industries, but also organizations of different sizes and levels of sophistication.
Updated Guidance and Resources
Another area of significant change in CSF 2.0 is the guidance and resources provided. Director of NIST Laurie E. Locascio states that the new version “is not just about one document” but rather contains “a suite of resources” that organizations can customize and use in any combination. This allows organizations to change how they use the CSF over time as their needs, resources, and abilities evolve.
The resources provided in coordination with CSF 2.0 include:
- Implementation Examples: Organizations can see examples of actionable steps they can take to improve their security practices in any of the given areas covered by the CSF.
- Quick Start Guides: These resources are designed to provide a plan for achieving certain specific, common cybersecurity goals.
- Mappings: The CSF 2.0 can be visualized in its place amongst NIST’s other projects, showing common themes in interrelated work.
- New Reference Tool: Users can browse and export data from CSF 2.0 with this new reference tool that “simplifies the way organizations can implement the CSF.”
- Searchable Catalog: Organizations can see and search a database of informative cybersecurity reference materials, enabling them to cross-reference best practices and guidance between CSF 2.0 and other security documents.
Increased Focus on Governance
There is another major change in CSF 2.0 in the form of a sixth cybersecurity pillar, governance. Previous versions of the CSF have outlined five main pillars to shape cybersecurity practices and strategies: identification, protection, detection, response, and recovery. These all remain crucial areas of focus for organizations looking to fortify their security, but the new update includes governance as another one of the main functions of the CSF.
Governance includes the ways in which organizations develop and implement informed decisions regarding cybersecurity. In CSF 2.0, the importance of executive involvement in cybersecurity matters is stressed. The decisions that organization leaders make about their security strategies will always have a significant impact on the other five functions, so it is important to highlight governance as a key part of mitigating cybersecurity threats.
Crucial parts of governance in an effective cybersecurity strategy include:
- Understanding the context of the organization, the current state of cybersecurity, and circumstances regarding security measures.
- Developing and communicating the priorities, constraints, and risk tolerance at play in the organization’s risk management strategy.
- Establishing and communicating the roles, responsibilities, and authorities of different people in order to improve accountability and performance assessment.
- Overseeing activities and analyzing their results to inform any necessary changes to the organization’s risk management strategy.
Conclusion
The guidance of NIST CSF has helped organizations improve their cybersecurity strategies for the past ten years, according to expert advice. The new version of the CSF aims not only to continue that work but also to expand upon it and ensure that it is adaptable to keep up with emerging and evolving threats. The addition of governance as a security pillar, the new accompanying resources, and the broadened scope of CSF 2.0 all serve to make an already solid security framework even more effective.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.