The NIST Cybersecurity Framework

NIST, the US National Institute of Standards and Technology, has released a new draft version of its Cybersecurity Framework (CSF).  This 2.0 version of the voluntary Framework is the first refresh to the current 1.1 version released in 2018. 

NIST, the US National Institute of Standards and Technology, has released a new draft version of its Cybersecurity Framework (CSF).  This 2.0 version of the voluntary Framework is the first refresh to the current 1.1 version released in 2018. 

At a high level, the CSF is a set of guidelines intended to help organizations improve their cybersecurity practices and effectively manage their cybersecurity risks.  By following the Framework, organizations can enhance their overall cybersecurity posture, minimize cybersecurity risks, and safeguard critical assets and data. 

The Framework Core is a set of cybersecurity outcomes which are arranged by function, category, and subcategory.  It also includes examples of how those outcomes might be achieved by providing implementation examples and references to additional guidance.  It’s not a checklist to follow because the actions needed to achieve a cybersecurity outcome will differ by organization and use case.

Changes to the Cybersecurity Framework

Expanded Scope

The scope of the Framework has been expanded.  The CSF was initially developed with the focus of protecting critical infrastructure such as banking and energy industries, but the Framework has been useful in other sectors from small businesses, education, to local governments. 

Expanded Implementation Guidance

The updated version provides improved and expanded guidance on the implementation of the CSF.  The use of Framework Profiles tailors the CSF for specific use case scenarios.  Examples of Profiles include a specific scenario such as “How to Use the Cybersecurity Framework Profile for Connected Vehicle Environments,” or a more general topic of “Ransomware Risk Management.”

The Framework will also now include implementation examples for each of the function’s subcategories to help organizations use the framework more effectively.  These examples are not contained in the main framework document but will be maintained separately in an online format called the NIST Cybersecurity and Privacy Reference Tool (CPRT).  This will allow for more frequent updates to keep information current.  This tool is currently in Phase 1 of its development and will be expanded as it matures.

New Pillar

The CSF has added a new pillar to the previous five main functions of identify, protect, detect, respond, and recover.  The sixth pillar that was added is the Govern function.  The new pillar focuses on the establishment and monitoring of the organization’s cybersecurity risk management strategy, expectations, and policy. 

The Govern function isn’t an entirely new topic in the CSF.  17 of the 31 subcategory items in the Govern function have been moved from one of the other five functions.  In addition to new subcategories being added an entirely new category was added related to Oversight. 

One new focus is the emphasis on organizational leadership bearing responsibility and accountability for cybersecurity risk and an organizational culture that is risk-aware, ethical, and continually improving.  It shows cybersecurity isn’t just a function of IT but rather needs to be a part of the organization’s overall governance and strategic planning.

Conclusion

The changes to the new (draft) version of the NIST CSF bring an expanded scope to include more than just “critical infrastructure” sectors.  Framework Profiles / use cases help to tailor the Framework to organizational and sector goals.  Implementation guidance for each of the Function’s subcategories helps organizations to use the framework more effectively.  Finally, the addition of the sixth pillar of Govern shows the importance of the integration of cybersecurity into overall business strategy and oversight.

Marcus Thompson is the Founder and CEO of Expedient Technology Solutions, LLC, located in Miamisburg, OH.  ETS is a cybersecurity-focused managed services provider bringing technology and cybersecurity solutions to area organizations.  Marcus holds many cybersecurity certifications including the Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM).