The NIST Cybersecurity Framework (CSF) is a framework designed to provide cybersecurity risk-management guidance to private and public industries, government agencies, and other organizations . It is intended to be applicable for use by any organization regardless of it’s size or scale, age, or sector.
The version 2.0 of the cybersecurity framework is much more extensive with its core guidance and lists additional subcategories as well as links to online resources that offer further guidance on practices to achieve these objectives. The guidance is divided into six areas of focus: identify, protect, detect, respond, recover, and govern.
This article unravels the NIST Cybersecurity Framework, the major changes outlined in CSF 2.0, and some of the ways in which it can be adopted.
The NIST Cybersecurity Framework
Overview
The NIST Cybersecurity Framework (NIST CSF) was first introduced in 2014 by the National Institute of Standards and Technology to bolster the security of infrastructure within the United States. By establishing a common set of standards, goals, and terminology to reduce the risk and impact of cyberattacks.
By promoting the shared framework, the NIST CSF aids in better decision-making and encourages security standards to address threats such as phishing and ransomware.
The initial version was updated to Version 1.1 in 2018, adopting major changes such the inclusion of the Identify core function, additional sub-categories and improved clarity. The draft copy for version 2.0 of the framework was released with the intention of receiving public feedback in August 2023 and closed for comments in November 2023, the final release of Version 2.0 was released in February 2024.
Since the new framework demonstrates increased flexibility to various situations, the NIST has recommended its voluntary self-adoption by organizations of all sizes.
Target Audience
The primary audience for the framework comprises of individuals responsible for developing and overseeing cybersecurity planning and strategization within organizations.
It is also relevant for other roles involved in risk management, such as executives, board of directors, acquisition professionals, technology experts, risk managers, legal professionals, human resource specialists, and auditors who specialize in cybersecurity and risk management.
Additionally, the CSF can serve as a useful asset to those involved with the making and influencing of private and public policy (e.g., associations, professional organizations, regulators) who establish and communicate priorities for cybersecurity risk management.
Major Changes in NIST Cybersecurity Framework 2.0
Released in February 2024, the NIST Cybersecurity Framework 2.0 is the latest revision to the framework.
Inclusion of ‘Govern’ Core Function
While the previous framework stated ‘Identify, Protect, Detect, Respond, and Recover’ as its core functions in implementation, the new framework includes ‘Govern.’
Govern seeks to addresses the establishment of cybersecurity strategy, cybersecurity supply chain risk
management, roles, responsibilities, authorities, policy, and the oversight of cybersecurity strategy within the organizational context.
More Extensive Sub-categories and References within Core Functions
CSF version 2.0 includes additional categories and subcategories of cybersecurity goals and standards within the listed core functions, as well as hundreds of other helpful references to assist readers. The new framework is much more extensive with its definitions and resources.
Expanded Scope
The new framework’s scope has expanded beyond just the protection of critical infrastructure, such as water facilities and power plants, to providing safety standards for all organizations regardless of sector or size.
This expanded scope is reflected in the change of the CSF’s official title to “The Cybersecurity Framework,” from the earlier “Framework for Improving Critical Infrastructure Cybersecurity.”
This reflects an earlier request from the US Congress for the framework to expand its guidance to aid small businesses.
Framework Tiers
The new tiers define how a company handles cybersecurity risks, allowing them to adopt the tier that best fulfills their objectives, decrease cyber risk to a desirable level while accounting for difficulties in implementation.
The tiers offer progress starting from 1 (‘Partial’) to 4 (‘Adaptive’) with rising level of sophistication but additional efforts in implementation.
Framework Profiles
The CSF profiles aid companies in finding the right path that’s right for them to reduce cybersecurity risks. Each profile lays out an organization’s “current” and “target” positions and in meeting the criteria in transforming from one profile to the other.
Focus on Supply-Chain and Third-Party Risk
The framework incorporates new supply chain guidelines as part of the core ‘Govern’ function, and expects that cybersecurity risks within software supply chains should be considered while an organization carries out its functions.
Moreover, the NIST framework reminds organizations to plan and conduct due diligence to reduce risks prior to entering agreements with supplier or other third-party contractors.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.