What's new in NIST's Cyber Framework?
The original framework does an “excellent” job of establishing what should be included in a security operations program, but updates were needed for the clarity and modernization included in version 2.0, Qualys Threat Research said. said Ken Dunham, the department's cyber threat director.
“Based on how the framework is designed and deployed, the core of a SecOps program will not change quickly over time,” says Dunham. “But over the years, we need to improve clarity, consistency and modernization.”
Version 2.0 represents appropriate change management controls to upgrade a stable and strong cybersecurity framework, he added.
Alice Fakir, Federal Cybersecurity Services Partner at IBM It says it provides a better understanding of how to decide whether controls or standards need to be implemented.
“As part of the framework update, there is a focus on timeliness and reporting,” says Fakir. “While this updated framework calls for greater awareness and improvement of security controls around supply chain and third-party risks, it is important to add that communication layer.”
Addition of a set of cyber resources
“With version 2.0, NIST created a holistic approach based on the principles of identify, protect, detect, respond, and recover,” said Jason Porter, CTO of Optiv + ClearShark.
“NIST provided this to show that the framework starts with the core and builds from there,” Porter said.
For example, the Cybersecurity and Privacy Reference Tool features an interconnected repository of NIST guidance documents and provides context for these resources, including frameworks, and other widely used references. CPRT also facilitates the communication of these concepts to both technical experts and executives, with the goal of promoting organizational alignment across all levels.
Quickstart guides are tailored to a variety of user profiles, including small and medium-sized businesses, enterprise risk managers, and organizations looking to strengthen their supply chain security.
Discover: Government agencies are considering new Zero Trust security use cases.
The new CSF 2.0 Reference Tool is designed to streamline implementation by allowing users to browse, search, and export Core Guidance data and details in both human-readable and machine-readable formats. says Fakir. The tool also includes a searchable bibliography catalog with cross-references to current actions and framework guidance and over 50 of his cybersecurity publications, including NIST's Special Publication 800-53 Revision 5. It will be possible.
The dozen community profiles created in version 2.0 are designed to help organizations in the same sector provide common goals and outcomes when faced with similar challenges, said Cisco's senior global government strategist. , said Steve Vetter.
“This started a conversation, a sharing of data, and overall a very important sharing of thoughts, ideas, and approaches,” Vetter said. “These profiles are packaged in a way that makes it easy to determine where you are and where you want to get to. That will be very helpful.”
