The National Institute of Standards and Technology (NIST) recently announced the official release of version 2.0 of its Cybersecurity Framework (CSF), the first major update since the standard’s creation in 2014.
The CSF 2.0 update was designed to expand the audience of the CSF beyond its focus on critical infrastructure to include organizations of all sizes across industries, from small nonprofits to major enterprises.
According to Larry Kinkaid, cybersecurity consulting manager at BARR, “NIST is typically seen as ‘too much’ and cost-prohibitive for organizations with resource constraints, such as startups and small- to medium-sized businesses. This update makes aligning to the NIST CSF significantly more accessible to all organizations, and not just critical infrastructure.”
In addition to expanding its overall audience, the framework also has a new focus on governance, aiming to help organizations include cybersecurity risk management into their overall risk management strategy. The framework includes six key functions: identify, protect, detect, respond, recover, and the newly added govern function. Let’s take a closer look at how these functions work together to create a foundation for security risk management:
- Identify: This function involves identifying and understanding the organization’s critical assets, threats, and risks. Identifying the core assets of an organization allows leadership to make informed decisions on resource allocation and overall risk appetite.
- Protect: Once organizations have identified what they need to protect, they can implement security controls, policies, and procedures to protect their systems and data.
- Detect: Even with protections in place, incidents can still occur. The detect function involves detecting and monitoring potential security incidents.
- Respond: This function involves having a well-defined incident response plan in the event of a security incident or breach.
- Recover: After a breach, organizations must be able to restore critical operations and key functions in the event of an incident.
- Govern: This new function involves establishing policies and procedures that align cybersecurity efforts with business objectives.
The newly added governance component of CSF emphasizes that cybersecurity risk should be considered within the same context as other risks, such as finance and reputation, and should inform how organization leaders make strategic business decisions.
Alongside the release of NIST CSF 2.0, NIST has also released several guides and tools to help organizations simplify the implementation process. The CSF 2.0 Reference Tool allows users to browse and export CSF guidance into simple formats, and users can rely on the searchable catalog of informative references that shows how their current actions map onto the CSF. Moving forward, NIST will continue to create and build informational resources to help organizations implement the CSF.
Interested in learning more about NIST CSF 2.0 and how to get started with implementation? Contact us today.