NIST Cybersecurity Framework (CSF) 2.0

In 2014 the National Institute of Standards and Technology (NIST) released their first version of the NIST cybersecurity framework (CSF) entitled "NIST Framework for Improving Critical Infrastructure". CSF 1.0 was created to provide a comprehensive framework for industries looking to organize, create, or improve their cybersecurity program. This framework offers guidance on responding to, recovering from, and identifying cyber incidents.

One of the biggest issues this framework addresses is the lack of cybersecurity standards, guidelines, or rules across the critical infrastructure space. To this day CSF 1.0 is considered the gold standard for organizations wanting to improve their overall security posture. However, as the threat landscape evolves, so to must the standards and guidelines businesses use to protect themselves. On August 8th, 2023, NIST released their first draft of the CSF 2.0 which brings must needed changes to the already comprehensive framework. Here is an outline of the current NIST CSF and what is changing in the upcoming revision.

What is the NIST CSF?

The NIST cybersecurity framework consists of five core pillars that are further divided into categories that outline different areas of focus. Within these categories are subcategories that outline specific actions and controls that organizations should implement within their cybersecurity program. Originally intended for critical infrastructure, the new CSF broadens its scope to include any industry and organization of any size. Additionally, CSF 2.0 includes a sixth pillar that cuts across the previous five entitled "govern".

Here is an outline of all six pillars:

• Identify: The first step for any organization is to identify key areas of risk as well as inventory all critical business assets, employees, data, and resources that may be at risk. This pillar lays the ground work for every other pillar as it organizes the resources required to do business and the risks associated. This pillar may include identifying hardware and software assets, its role in the supply chain, vulnerabilities present, and what constitutes "risk". Security assessments are a great tool to understand where the gaps in your organizations security lie.
  
• Protect: This function outlines safeguards and controls to help reduce cyber risk including security awareness training, identity management and access control, consistent management of organizational resources.
• Detect: Every organization should have policies and controls in place to detect and identify cyber risks and malicious activity in their systems. These controls should alert businesses when an anomaly or event is detected and what the impact will be.
• Respond: In the event of a cyber incident, every organization should have plans in place for how to respond. This responds should have controls in place to reduce the impact of a data breach or cyber attack and includes communications between admins and forensics specialists, analyzing the incident to determine how a breach occurred, and ensuring the plan is enacted accordingly.
  
• Recover: Getting back to operations as normal is crucial for an organization facing a cyber event. Extended downtime, loss of data, and corrupted technology can destroy a business. The recover function of NIST CSF outlines the plans and processes to restore any compromised systems and assets.

The "Govern" Function

The biggest change to the NIST CSF is the addition of a new core pillar titled "govern". This new function offers guidance for how organizations should make decisions in supporting their cyber security plan. The governance function is one that applies to every other core pillar in that it emphasizes security as a enterprise level risk that involves administration and senior leadership.

Cybersecurity shouldn't just be relegated to the "IT department" but should be considered across every department including leadership.

What Should You Do?

The NIST CSF is available for any organization that wants to better define their cybersecurity program. In regards to CSF 2.0, the public draft will be open to feedback until November 4th, 2023 for any comments or concerns. You can read more about NIST CSF 2.0 on their official website. 

CorpInfoTech can also provide assistance to SMBs who want to implement NIST controls into their cybersecurity strategy. Through security assessments, managed IT and security services, and compliance help we can ensure that small-medium sized businesses receive the tools necessary to protect their business from cyber criminals.