By Gregory Hale
Cybersecurity is constantly evolving where technology shifts frequently occur, so in order to keep up with the dynamic environment, the Cybersecurity Framework (CSF) version 2.0 is now available for all industry sectors from the smallest organizations to the largest corporations.

In response to comments received on the draft version, National Institute of Standards and Technology (NIST) expanded the CSF’s core guidance and developed related resources to help users get the most out of the framework.

These resources should provide different audiences with tailored pathways into the CSF and make the framework easier to put into action.

“I’ve been a big fan of the NIST CSF since it was first introduced in 2014. I had the pleasure of attending a couple of the industry workshops that NIST conducted during the development of Version 1 and really appreciated NIST’s strong position they wanted the document to be an overarching framework to provide a common structure and language for IT and OT cybersecurity but had no intention to supersede or replace any existing IT and OT cybersecurity standards,” said John Cusimano, vice president of OT Cybersecurity at Armexa.

Schneider Bold

Framework, Standards Co-exist
“In fact, they went so far as to map several existing IT and OT cybersecurity standards to the Framework, including ISA/IEC 62443, to demonstrate they can, and should, co-exist. Unfortunately, the understanding the NIST CSF is an umbrella framework under which many IT, OT (and now IoT and IIoT) cybersecurity standards co-exist, is not appreciated by all. Sadly, 10 years later I still get asked questions by clients like, ‘should we go with NIST or ISA/IEC 62443?’ or, I’ll hear statements like, ‘We are a NIST shop,’ ‘We are an ISA shop.’ It’s not an either-or proposition. The Framework and standards like ISA/IEC 62443 were intended to co-exist and complement one another,” Cusimano said. “I’m not sure if the release of v2 will have any impact in addressing that misperception but I hope it does.”

“In a major milestone for cybersecurity initiatives, NIST has solidified the need for governance in true risk management practices,” said Chad McDonald, CISO at Radiant Logic. “The digital transformation which has taken place since the last NIST Cybersecurity Framework and the evolution of attack strategies mandates that we understand organizational context when we make security decisions. CSF 2.0 introduces “Govern” as a new core function so that organizations begin to measure and manage to the outcomes intended by the five other functions. Govern empowers security executives to prioritize, manage and communicate overall security strategy.”

“The CSF has been a vital tool for many organizations, helping them anticipate and deal with cybersecurity threats,” said Under Secretary of Commerce for Standards and Technology and NIST Director Laurie E. Locascio. “CSF 2.0, which builds on previous versions, is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve.”

The CSF 2.0, which supports implementation of the National Cybersecurity Strategy, has an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector. It also has a new focus on governance, which encompasses how organizations make and carry out informed decisions on cybersecurity strategy.

The CSF’s governance component emphasizes cybersecurity is a major source of enterprise risk senior leaders should consider alongside others such as finance and reputation.

“I’ve long felt that governance was underrepresented in NIST CSF V1 (and 1.1). It was there but kind of force fit into the Identity function,” Cusimano said. “So, I was very glad to see NIST recognize that governance is foundational to any program and should be a stand-alone function (in Govern).”

Available to More Users
“Developed by working closely with stakeholders and reflecting the most recent cybersecurity challenges and management practices, this update aims to make the framework even more relevant to a wider swath of users in the United States and abroad,” said Kevin Stine, chief of NIST’s Applied Cybersecurity Division.

Following a presidential Executive Order, NIST first released the CSF in 2014 to help organizations understand, reduce and communicate about cybersecurity risk. The framework’s core now centers around six key functions: Identify, Protect, Detect, Respond and Recover, along with CSF 2.0’s newly added Govern function. When considered together, these functions provide a comprehensive view of the life cycle for managing cybersecurity risk.

More roads lead to NIST’s updated cybersecurity framework, which features quick-start guides aimed at specific audiences. It also added success stories outlining other organizations’ implementations, and a searchable catalog of informative references that allows users to cross-reference the framework’s guidance.Credit: N. Hanacek/NIST

“If I recall, risk management has been moved into Govern and risk assessment remains in Identify. That makes a lot of sense. Risk assessment is the process of identifying risk but managing risk is a governance function,” Cusimano said.

The updated framework anticipates that organizations will come to the CSF with varying needs and degrees of experience implementing cybersecurity tools. New adopters can learn from other users’ successes and select their topic of interest from a new set of implementation examples and quick-start guides designed for specific types of users, such as small businesses, enterprise risk managers, and organizations seeking to secure their supply chains.

A new CSF 2.0 Reference Tool now simplifies the way organizations can implement the CSF, allowing users to browse, search and export data and details from the CSF’s core guidance in human-consumable and machine-readable formats.

CSF Additions
In addition, the CSF 2.0 offers a searchable catalog of informative references that shows how their current actions map onto the CSF. This catalog allows an organization to cross-reference the CSF’s guidance to more than 50 other cybersecurity documents, including others from NIST, such as SP 800-53 Rev. 5, a catalog of tools (called controls) for achieving specific cybersecurity outcomes.

Organizations can also consult the Cybersecurity and Privacy Reference Tool (CPRT), which contains an interrelated, browsable and downloadable set of NIST guidance documents that contextualizes these NIST resources, including the CSF, with other popular resources. And the CPRT offers ways to communicate these ideas to both technical experts and the C-suite, so that all levels of an organization can stay coordinated.

Click here to download CSF version 2.0.


Pin It on Pinterest

Share This