NIST CSF 2.0 and Its Implications for Cybersecurity
NIST CSF 2.0 and Its Implications for Cybersecurity
Many companies implement cybersecurity frameworks to provide structure, standardization, and consistency in their approach to cyber risk management. The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) is a popular choice that provides a high-level strategic view of how to secure an organization.
The last update to NIST CSF came in 2018 with version 1.1, but a larger overhaul is on the cards with the impending early 2024 publication of CSF 2.0. This article takes a look at the draft publication of NIST CSF 2.0 and helps you understand the implications of these changes for cybersecurity.
Expanding the Scope
The framework initially came to fruition in response to Barack Obama’s Executive Order 13636, "Improving Critical Infrastructure Cybersecurity." This order called for the development of a voluntary framework to reduce cyber risks to critical infrastructure. In 2014, the initial framework was published with the somewhat wordy and narrowly focused title "Framework for Improving Critical Infrastructure Cybersecurity."
The use of the framework quickly broadened beyond critical infrastructure due to several reasons:
There is an increasing frequency and sophistication of cyber attacks on all types of organizations.
The framework is highly flexible and can be adapted to various sizes and types of organizations.
The principles and guidelines were recognized as universally applicable, not just tailored to the type of organization that operates critical infrastructure.
This broader use led to many people calling it the Cybersecurity Framework, but the initial official title remained up to version 1.1. The draft publication of NIST CSF 2.0 opts for the more recognizable and inclusive “Cybersecurity Framework” title. The document’s scope now also refers to all organizations and is no longer focused solely on organizations in the United States.
This change in scope is about more than just simplifying the title. Opting to formally call it the Cybersecurity Framework is a strategic move that'll hopefully broaden its appeal and relevance. The name change could potentially persuade more companies to adopt the framework, especially if they perceive it as addressing a wider variety of cyber risk management issues that are pertinent to their operations.
A New Govern Function
Current and previous framework versions divided the framework core into five cybersecurity functions. These functions are essentially conceptual cybersecurity outcomes that guide your approach to managing cybersecurity risks (Identify, Protect, Detect, Respond, Recover.)
Each function in the framework core also contains categories, which provide a more detailed and focused set of objectives (e.g., the Protect function has “Awareness and Training” and “Data Security” as categories). Then there are subcategories, which further break down the categories into specific outcomes (for example, in awareness and training, one subcategory is that “all users are informed and trained.”)
New to the core of CSF 2.0 is a Govern function that wasn’t there in previous versions. This new function also comes with its own set of categories and subcategories. The inclusion of Govern conveys the need for leadership to be actively involved in overseeing and managing cybersecurity risks rather than leaving it down to security teams.
The Govern function addresses aspects like executive oversight, risk management strategies, legal and regulatory compliance, and the integration of cybersecurity into organizational culture and decision-making. This change helps to align leadership with the idea that cybersecurity is a critical part of overall business governance. The overall message is that cybersecurity calls for the same level of attention as other key business risks like legal and finance.
Highlighting Supply Chain Risks
Supply chain cybersecurity continues to attract media spotlight, with many of the most high-profile recent cyber attacks involving a supply chain compromise. Threat actors find and exploit vulnerabilities in contractors, vendors, service providers, and business partners because there is often the potential to hit many companies at once.
Given the continued attacks and compromises, NIST CSF 2.0 contains more guidance on effective supply chain cyber risk management. An entire category under the new Govern function is devoted to supply chain risk management, with subcategories that propose outcomes like:
Establishing cybersecurity roles and responsibilities for suppliers, customers, and partners
Knowing all suppliers and prioritizing by criticality
Performing due diligence to reduce risks before entering into formal supplier or other third-party relationships
Overall, this change highlights the pressing need for all organizations to develop capabilities and practices for better managing supply chain risks. Technology and software ecosystems are more interconnected than ever; all it takes is one vulnerability in a supplier’s product or code to potentially leave a company vulnerable to serious data breaches.
More Specific Implementation Guidance
A common critique from organizations looking to adopt NIST CSF is that it lacks specific implementation guidance. A high level of abstraction rather than specific, tactical instructions makes it harder for smaller organizations without a wealth of cybersecurity expertise to implement. Previous CSF versions focused more on what needs to be done in terms of cybersecurity but without specific details on how to do it.
CSF 2.0 aims to address this shortfall with examples of action-oriented processes that help achieve subcategory outcomes. These processes are referred to as implementation examples, and because of the need to update them often with new examples, they will live in a separate document from the main framework.
To better illustrate this change, one subcategory under the framework’s Identify function is that “security tests and exercises are conducted to identify improvements.” However, the new implementation examples go more granular by providing actionable advice like “Identify improvements for future incident response activities based on findings from incident response assessments” (e.g., tabletop exercises, cyber attack simulation exercises, tests, internal reviews, and independent audits). All of this is much more specific than when there were no implementation examples for companies to draw actionable advice from.
Cloud Range’s Team Simulation Programs
If you decide that tabletop exercises and attack simulation exercises are a good way to improve incident response and other areas of cybersecurity, consider Cloud Range’s live-fire cyber range platform. We provide the technology, customization, and hands-on training to improve performance for incident response teams and more.