NIST CSF 2.0 is available

Credit: The US National Institute of Standards and Technology (NIST)

NIST has released version 2.0 of the popular Cybersecurity Framework (CSF) with expanded scope to reflect the evolving cybersecurity landscape. This is the first major update since 2014. Its application is beyond critical infrastructure sectors. The previous version, CSF 1.0 provided a flexible and adaptable framework for organizations to manage cybersecurity risks in a way that aligned with their unique context. CSF is widely used as a baseline for compliance by pairing it with other cybersecurity regulations or standards, such as HIPAA, PCI DSS, or ISO 27001.

CSF 2.0 aims to foster internal and external communication at all levels, integrate cybersecurity-related issues with broader enterprise risk management strategies, and improve communication with suppliers and partners. It includes all the previous core pillars and more.

Two features namely the “Govern” function and cybersecurity supply chain risk management are significant.

The “Govern” Function of NIST CSF 2.0

NIST CSF 2.0 release introduces the “Govern” function as one of the core pillars.  This is much needed in this era of digital transformation. A successful cybersecurity program needs a comprehensive and holistic approach coming from the top. This function is designed to help organizations prioritize and achieve the outcomes specified in the other five functions.

A summary of the categories of the “govern” function includes:

Organizational Context: Understanding the organization’s mission, stakeholder expectations, dependencies, and legal and regulatory requirements to inform cybersecurity risk management decisions.

Risk Management Strategy: Establishing and communicating the organization’s priorities, constraints, risk tolerance and appetite, and assumptions to support operational risk decisions.

Roles, Responsibilities, and Authorities: Establishing and communicating clear roles, responsibilities, and authorities for cybersecurity to promote accountability, performance assessment, and continuous improvement.

Policy: Establishing, communicating, and enforcing organizational cybersecurity policies to guide decision-making and ensure consistent implementation of cybersecurity measures.

Oversight: Using the results of risk management activities and performance to inform and adjust the risk management strategy, promoting continuous improvement.

Cybersecurity Supply Chain Risk Management: Identifying, establishing, managing, monitoring, and improving processes for managing cybersecurity risks associated with the supply chain, in collaboration with organizational stakeholders.

Guidance on Cybersecurity Supply Chain Risk Management

The exciting part NIST CSF 2.0 release is the guidance on supply chain risk management. This is a recognition of the increasing importance of third-party relationships in cybersecurity. This is a long-overdue addition, considering the state of data breaches today. Modern organizations are increasingly reliant on third-party vendors, suppliers, and partners to provide goods and services. These third-party partners may have access to sensitive data, such as customer information or intellectual property. Naturally, organizations inherit the cybersecurity risks of their third-party partners. Unvetted third-party relationships have created significant cybersecurity risks in many organizations. Having a vendor or supplier with poor cybersecurity practices is an open invitation for a cyberattack through that partner. Such attacks have led to operational and financial losses for many organizations.

Overall, NIST CSF 2.0 builds on the original framework with emphasis on the importance of governance and supply chain risk management. It also provides clearer and more flexible guidance for organizations of all types and sizes.

Organizations are encouraged to review their security policies and improve on them based on the threat landscape of today.  There are additional resources and lots of goodies included in this publicly available release.