The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) stands as a versatile security blueprint applicable across all industry segments. Its flexibility allows organizations to customize and scale the framework to suit their unique needs. On February 26, 2024, NIST released version 2.0 of the CSF, introducing pivotal enhancements to bolster its accessibility and adaptability, aiding organizations in managing and mitigating cybersecurity risks effectively.
The new framework has significant changes that help organizations manage and reduce cybersecurity risks more effectively. These changes also make it easier for all users to navigate and utilize the framework. Transitioning to the new standards will take time and effort. The end result will be standards that are better suited to each organization's risk tolerance, industry, size, and operational needs.
Key among the changes in the NIST CSF 2.0 are:“Govern” has been added as a sixth core function, joining Identify, Protect, Detect, Respond, and Recover as the primary areas of focus in a cybersecurity program. The addition of the “Govern” function in the NIST CSF 2.0 highlights the critical role that governance plays in an organization’s cybersecurity risk management strategy.
The function involves activities to create and enforce policies for the organization's cybersecurity program. This includes defining the organization’s cybersecurity strategy, roles and responsibilities, and resource allocation. It also includes oversight and monitoring of cybersecurity activities to ensure compliance with policies and standards.
Good governance is important to make sure a company's cybersecurity practices match its goals and risk tolerance. Governance helps prioritize cybersecurity, allocate resources, and measure effectiveness of cybersecurity efforts in an organization.
The function involves creating a cybersecurity structure with clear roles. It also includes conducting risk assessments and audits to find and mitigate cybersecurity risks. It also requires developing and enforcing, cybersecurity policies to help ensure consistency and continuity. Lastly, it emphasizes security training and awareness programs to make employees key security assets.
The NIST Cybersecurity Framework encourages organizations to be proactive in managing cybersecurity risks by adding the Govern function. This helps organizations identify their security strengths and weaknesses. It also helps them make informed decisions about investing in cybersecurity tools and resources. Additionally, it promotes a culture of security awareness and accountability within the organization.
Managing supply chain risk is now a top priority due to the current threat landscape and interconnected operating environments. NIST CSF 2.0 effectively addresses these risks.
NIST has added a new section to focus on Cybersecurity Supply Chain Risk Management (C-SCRM) within the "Govern" function. It outlines the main goals for organizations in C-SCRM. Organizations can use the new Quick-Start Guide in the NIST Cybersecurity Framework 2.0. This guide can help them assess their current C-SCRM capability. They can use CSF to identify, prioritize and mitigate risks in their supply chain. They can then establish procedures to address these risks and continually enhance their C-SCRM program.
Securing the supply chain protects the organization’s IT assets, and business operations, and fosters the trust of their customers and partners. Additionally, they can ensure that their supply chain is able to withstand evolving threats. Ultimately, effective risk management is essential for building a strong cybersecurity posture and safeguarding the overall security and resilience of the organization.
The updated CSF now has tiers and organizational profiles. Organizations can tailor them to their specific needs and security requirements. The customization makes it easy to compare to standard profiles. These profiles are based on industry, risk, and importance.
This flexibility helps organizations prioritize their security efforts and resources. It allows them to meet their specific requirements. Organizations can compare their current security posture (profile) against a standard industry profile which also shows how well an organization's security measures align with industry standards. This allows for easy comparison to standard profiles based on industry, risk, and importance.
This flexibility helps organizations prioritize their security efforts and resources according to their specific requirements. Comparing against standard profiles also gives insight into how well an organization's security measures align with industry standards.
Overall, the updated CSF will enhance organizational security maturity, improve risk management strategies, and ultimately strengthen the overall cybersecurity posture. The CSF will help organizations protect their important assets and data from cyber threats by offering a personalized security approach.
NIST has added new tools to the updated CSF to make it easier for people to use. These tools include quick start guides, implementation examples, and informative references.
The quick start guides provide organizations with a plan for using the CSF. This makes the process easier by breaking it down into simple steps. This helps companies start faster and more efficiently, saving time and resources needed for implementation.
Implementation examples offer real-world scenarios and case studies of how organizations have successfully implemented the CSF. These examples can serve as inspiration for companies looking to adopt the framework and provide valuable insights into best practices.
Informative references provide additional resources and guidance on specific topics related to cybersecurity, helping organizations navigate complex issues and make informed decisions. By offering a wealth of information and support, NIST is making it easier for companies to adopt the CSF and improve their cybersecurity posture.
RubinBrown’s dedicated team of cyber security professionals understands the nuances of CSF 2.0 and will be ready to assist organizations with upgrading their standards from previous versions of NIST or transitioning from other frameworks.
For more information about the new NIST CSF 2.0, or to inquire about our cyber-health checkup, security assessment, penetration testing, or compliance analysis, visit www.rubinbrown.com/cyber.
Published: 04/16/2024
Readers should not act upon information presented without individual professional consultation.
Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.