What To Know about the Just Released NIST Cybersecurity Framework 2.0
Today, NIST released the CSF 2.0 with new insights and guidance on how to evaluate and communicate cybersecurity risk management. It is a major update that reflects the developments in cybersecurity over the past year and change. A defining addition is that the draft gives examples of ways to practice the CSF in reality— especially in regards to creating profiles. With these changes, all types of organizations that are involved with cybersecurity can benefit from following the CSF.
Here are some notable and important framework additions for CISOs and security leaders to familiarize themselves with and be aware of:
Added Govern Function
The five functions: Identify, Protect, Detect, Respond, and Recover, become six in the CSF 2.0 with the addition of the Govern function. The Govern function is intentionally constructed to help organizations make cybersecurity choices that are well-founded and successful. The function, which deals in a broader perspective, is an overarching topic that informs all of the five other functions. It also stresses that cybersecurity risk is of considerable importance to senior leadership rivaling legal and financial concerns.
Supply Chain Risk Management Focus
The Govern function contains a new category for supply chain risk management. This category includes ten subcategories that define the best ways to practice discernment when engaging in and executing programs related to supply chain risk management. It can apply to direct suppliers and flow down to lower-tier suppliers.
Also, the use of Framework Profiles are encouraged because they provide a uniform language to outline requirements and responsibilities of suppliers. The profiles can be used to create consistent, clear, and concise contracts. They can also be used by suppliers to show their cybersecurity posture. Target Profiles are also encouraged because they can help address gaps in management.
Real-World Examples
NIST has made implementing the framework more straightforward by providing some real-world examples. This helps organizations take the CSF ideas and put them into action in a smooth and advised way. Concrete instances of use can inspire change and adaptation that has not been previously accessible due to the disconnect between theory and practical use in the CSF.
Future Framework Additions
NIST stresses the importance of calculating metrics to examine how adopting the recommended strategies has improved an organization's secureness over time. But, while the CSF lacks detailed instruction regarding this topic, they do discuss their appreciation for metrics and their value. Metrics aid in decision-making by analyzing real-world and important data. Analysis and well-defined metrics can allow for more focused resource allocation to the areas that need the most help and maintain progress with built-in accountability.
Onyxia streamlines a CISO’s ability to measure their security program’s adherence to the NIST 2.0 framework as we provide Cybersecurity Performance Indicators (CPIs) that are relevant to the NIST 2.0 functions and our platform can globally transform to a NIST CSF 2.0 aligned dashboard. Moreover, our Security Stack Map enables CISOs and security leaders to quickly understand how well their security tools are providing NIST CSF 2.0 coverage across devices, applications, networks, users, and data.
