The NIST Cybersecurity Framework (CSF) helps organizations improve risk management with a common language that focuses on business drivers for improving cybersecurity.
NIST CSF 1.0 was released in February 2014 and version 1.1 was released in April 2018. In February 2024, NIST released the latest His CSF iteration 2.0. The CSF 2.0 effort began with a February 2022 Request for Information (RFI). Over the next two years, NIST engaged with the cybersecurity community through analyzes, workshops, comments, and draft revisions to refine existing standards and create new models to reflect the evolution. Security challenges.
Although the core of CSF remains the same, the new version has some notable additions. We discuss what businesses need to know about the new framework, how it impacts operations, and how IT teams can effectively apply his CSF version 2.0 to their daily operations.
New in NIST 2.0: The-governance function
The first is the introduction of “governance” capabilities that underpin all five capabilities of the original NIST framework: identify, protect, detect, respond, and recover. As stated in the original CSF 1.0 documentation, “These functions are not intended to form a serial path or lead to a static desired end state. Rather, these functions are You can create an operational culture that continuously executes and addresses dynamic security risks.”
As a result, functions are often depicted as a five-part circle surrounding a central CST framework. Each feature leads to the next, and no feature is independent of the others.
NIST CSF 2.0 retains these capabilities but adds Govern as a complete internal ring that sits below the five external capabilities. Govern focuses on ensuring that other capabilities align with business needs, are regularly evaluated by operations teams, and managed by security personnel.
In other words, Mr. Gavan is trying to introduce leadership into the security debate. This is already happening in most companies, but CSF 2.0 makes it a priority.
Expanded best practices
The first two CSF versions prioritized critical infrastructure. Although other industries and government agencies have adopted the framework, it was primarily designed to reduce the impact of cybersecurity incidents in critical infrastructure sectors.
However, the widespread adoption of this framework has made it clear that the practices and processes apply to public and private organizations across all sectors and industries. As a result, NIST CSF 2.0 provides expanded best practices that are broadly applicable to enterprises of all sizes and types.
For example, the new CSF recommends that all companies create an organizational profile that describes their current and targeted cybersecurity posture. This allows companies to set goals and define the practices needed to achieve those goals. The new framework also emphasizes the role of community profiles. These profiles are created to address cybersecurity interests and goals shared by multiple organizations serving the same sector or subsector, using similar technologies, or experiencing similar types of threats. will be done.
Read the Threat Intelligence Index report
Make the most of the new NIST guidelines
The new NIST CSF focuses on strengthening governance and extending best practices to help enterprises strengthen security and reduce risk. To effectively implement this framework, organizations benefit from her four-pronged approach.
1. Use available recommendations and resources
The growing scope and scale of CSF 2.0 may make it difficult for businesses of all sizes to effectively implement the new recommendations. For small businesses, limited IT support may impact the development of new practices, while larger organizations may struggle with the complexity of their IT environment.
To streamline processes, companies need to make the most of available resources, including:
2. Get leaders to communicate information
Next on the list is to get your leaders on board. Although CSF 2.0 was designed with governance and oversight in mind, many non-technical executives may have limited knowledge of the framework and its implications. That's why it's a good idea for IT leaders, such as CTOs, CIOs, and CISOs, and their teams to sit down with board members to discuss the implications of CSF 2.0. This is also an opportunity to ensure that your business goals and security strategy are aligned.
In addition, these meetings provide an opportunity to define key security metrics, determine how they will be collected, and create a detailed schedule for collection, reporting, and action. By involving leaders in the conversation from the early stages of CSF implementation, companies can set themselves up to achieve sustained visibility.
3. Evaluate external partnerships
As part of the new governance capabilities, CSF 2.0 includes a new subsection on vendor and supplier management. For example, GV.SC-04 focuses on understanding and prioritizing suppliers based on their importance to your business, while GV.SC-06 focuses on understanding and prioritizing suppliers based on their importance to your business. It talks about the planning and due diligence required before entering into a relationship. Finally, subsection GV.SC-10 helps companies plan the termination of their relationships with suppliers or partners.
Given the increasing risks and impacts; Infringement by third parties, these evaluations are important. If a supplier or vendor with access to a company's sensitive data is compromised due to poor cybersecurity practices, the organization is at risk, regardless of whether the organization itself is compliant with his CSF 2.0.
4. Deploy management and monitoring tools
To support all five existing capabilities and provide the data needed to inform new governance efforts, enterprises can detect potential threats, track indicators of compromise (IOCs), and You need management and monitoring tools that allow you to take action to reduce risks.
For example, threat intelligence tools can help organizations identify common attack patterns and targets, thereby providing teams with the data they need to create and deploy effective countermeasures. This data also helps tie security spending to measurable business outcomes.
From best practices to common practices
CSF 2.0 is the latest version of NIST's cybersecurity framework, but it won't be the last. As NIST notes, the framework is designed to be a living document that will evolve to meet new cybersecurity needs and help businesses address the changing threat environment.
In practice, this means moving from best practice to common practice. For example, while versions 1.0 and 1.1 provided critical infrastructure best practices, version 2.0 incorporates them as common practices for all organizations and defines a new best practice: governance. Over time, this practice will become commonplace, setting the stage for further developments to help organizations enhance threat detection, improve incident response, and reduce overall risk.
