USA: Deconstructing the new NIST Cybersecurity Framework 2.0 draft
In this Insight article, Michelle Drolet, Founder of Towerwall, discusses the key enhancement and practical insights offered by the newly released NIST Cybersecurity Framework 2.0 (CSF 2.0).
The US National Institute of Standards and Technology (NIST) just released a new update to its Cybersecurity Framework, the NIST CSF 2.0. This new version is currently in draft stage and is open to public review and feedback until November 4, 2023. A final version of the framework is expected to be released by early 2024.
What's new in the NIST CSF 2.0?
The NIST Cybersecurity Framework was introduced back in 2014 (CSF 1.0) and was updated again in 2018 (CSF 1.1). Since its last iteration, the threat landscape has evolved dramatically. The CSF 2.0 aims to better address the current risk environment and help organizations prepare for future risks and uncertainties. Summarized below are the key changes observed in the CSF's latest iteration:
- expanded scope and applicability: Earlier versions of the framework were called 'Framework for Improving Critical Infrastructure Cybersecurity' - since they were designed around critical infrastructure organizations. The CSF 2.0 has been renamed to 'Cybersecurity Framework' to recognize its broadened use and applicability to organizations of all sizes and industries;
- new emphasis on governance: Govern is now included as the sixth core function alongside Identify, Protect, Detect, Respond, and Recover. This pillar crosscuts across all other functions and is specifically called out to boost the participation of organization leaders in cybersecurity governance as well as to promote alignment of organizational activities with cybersecurity risks, standards, and legal requirements;
- focus on supply chain risk management: Cyberattacks and breaches via the supply chain are growing exponentially. The CSF 2.0 shines a spotlight on the need to incorporate cybersecurity supply chain risk management (C-SCRM), secure software development processes, and best practices; and
improved guidance on CSF implementation: The new draft offers enhanced and expanded guidance on how organizations can implement the framework effectively. This includes templates, examples of action-oriented processes, and references to other important NIST resources (where relevant and applicable).
Tips and best practices for implementing NIST CSF 2.0
Outlined below are recommended steps and best practices that organizations of any industry or size can use to get the most out of CSF 2.0.
Create and use framework profiles
Framework profiles are used to understand, assess, prioritize, and tailor cybersecurity outcomes, referred to as six core functions and the underlying categories and subcategories. There are primarily two types of profiles: the current profile, representing the outcomes that the organization is currently achieving; (for example: five employees are getting phished every month), and the target profile, representing the outcomes that the organization aims to achieve (for example: the goal is to have zero incidents of phishing).
Assessing cybersecurity outcome achievement
After establishing current and target profiles, organizations should conduct gap assessments to identify shortcomings and prioritize opportunities for improvement in profiles. Using tools like the Performance Measurement Guide for Information Security, organizations can identify metrics that reveal gaps (e.g., the lack of regular cybersecurity training leading to phishing incidents). Once gaps are identified, necessary actions, such as phishing simulation exercises and online training can be implemented to address them.
Use framework tiers to characterize risk management outcomes
NIST recommends that organizations apply four tiers, as outlined in Appendix 2 (partial, risk-informed, repeatable, and adaptive) when creating or updating current and target profiles. This approach helps organizations capture how they perceive cybersecurity risks, determine whether the risk management practices are at an acceptable level, and identify the gaps that need to be addressed to advance the organization to the next tier.
Improve communication with external and internal stakeholders
When communication is done right, it can significantly accelerate an organization's journey to the target framework tier and profile. Taking the example of phishing, it is important to have security policies that clearly state and mandate desired protocols and safety measures that employees and other stakeholders can follow when operating online. Leaders must emphasize key security priorities (e.g., reducing phishing) and highlight expectations from employees (remain vigilant, identify and report suspicious activities) as well as report key cybersecurity initiatives and performance metrics (phishing simulation click-through rate over time, incidents being reported, etc.).
Manage risk in the supply chain
Organizations should develop capabilities to identify, assess, and respond to risks in the supply chain. Organizations can use the govern function and specific categories and subcategories within the other five functions, to boost supply chain security. It is also advisable to review the framework profiles of suppliers, particularly when choosing suppliers for high-risk activities and processing of sensitive data (for example, whether they adhere to a particular security standard, their history with phishing, and other security incidents).
Continuously improve and fine-tune
A new category called 'Improvement' has been added to the Identify function in the CSF 2.0. This addition reflects the fact that cybersecurity is an ongoing process, and organizations must regularly revisit their steps, goals, and metrics to ensure cybersecurity defenses remain relevant and responsive to threats in a timely manner.
The CSF is a framework, not a standard; therefore, its usage and implementation can greatly vary based on an organization's risk profile, risk appetite, and risk tolerance. That being said, the CSF is a valuable resource for any organization seeking to better understand and assess risks, improve prioritization of risk management initiatives, express complex cybersecurity concepts in a more digestible manner for executives, and foster communication and alignment among all stakeholders. Even organizations that don't have an existing cybersecurity program, can use the CSF as a starting or a reference point and establish a more formal program.
Michelle Drolet Founder