NIST releases updated cybersecurity framework
The US-based National Institute of Standards and Technology (NIST) has released its updated cybersecurity framework (CSF) Version 2.0 – one of the most significant updates to the framework since its first release in 2014.
The new version features a considerably wider scope which has expanded beyond the cybersecurity requirements of critical infrastructure to a new framework which can be applied to any organization to ensure they exploit the full potential of the CSF. Another significant change is the addition of a new function, ‘govern’, with the framework now consisting of six core functions:
- Identify
- Protect
- Detect
- Respond
- Recover
- Govern
The view of the NIST is that together these individual functions comprise a lifecycle for managing cybersecurity risk, with the governance aspect added to highlight the significance of this threat and the importance of considering it at a senior leadership level.
“The CSF’s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation.” according to a NIST press release.
In a move that will undoubtedly be welcomed by industry professionals, the new framework is seeking to move the position of cybersecurity from a cost centre to an area of investment to protect and support organizations’ technology systems. At a time when different departments are fighting for budgets, such a change is likely to make it easier for management to open the purse strings.
As a response to user feedback, Version 2.0 will now also go beyond its status as a best practice document and feature resources to help implement the guidance — an aspect which becomes particularly important as it expands its approach to applying to a broader scope of new users. As such, those unfamiliar with cybersecurity best practice can access ‘success stories’ about the implementation of the guidance from other users, as well as a series of ‘quick-start guides’ which have been designed for these new users and touch upon those implementing the CSF in small businesses as well as within their supply chain. Such detail will be welcomed by practitioners who frequently criticise regulators for the lack of guidance and ‘real life examples’ when introducing new regulations. [1]
Kevin Stine, chief of NIST’s Applied Cybersecurity Division, said in a statement that the 2.0 framework has been “developed by working closely with stakeholders” whilst also “reflecting [on] the most recent cybersecurity challenges and management practices, this update aims to make the framework even more relevant to a wider swath of users in the United States and abroad.” [2]
Looking ahead, NIST also plans to grow the bank of available resources and build upon the feedback from this new community of users. The hope for the Institute is that the more case studies about CSF application in different sectors are shared, the more other organizations will be able to learn from this process and reduce their own cybersecurity risk.
Citations
[1]
[2]
More on
link