Since its debut in 2014, the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) has been a useful guide for organizations, especially in critical infrastructure sectors like healthcare, utilities, and manufacturers, seeking to better manage cybersecurity risks. Developed as a voluntary framework, it offers high-level guidance grounded in existing standards, guidelines, and practices.
However, the threat environment has shifted significantly over the years, growing in sophistication and scale. Cybersecurity is no longer just about firewalls and antivirus software; it’s about managing intricate systems and responding to advanced threats that have financial, operational, and national security implications.
Recognizing this evolution, the National Institute of Standards and Technology (NIST) has recently published a public draft of the CSF 2.0, a timely update aimed at addressing both the current and forthcoming challenges in cybersecurity.
Key Updates in NIST CSF 2.0: More than Just a Facelift
The NIST Cybersecurity Framework 2.0 is not a mere polishing of the old guidelines; it’s a comprehensive update designed to match the pace of today’s ever-evolving cyber landscape. Let’s unpack each main update to explain how it addresses the root causes of today’s greatest cyber threats.
The Addition of a Sixth Function: Govern
The original NIST Cybersecurity Framework was built around five core functions:
- Identify: Understand what you need to protect, like your computer systems, customer data, and other important assets.
- Protect: Put measures in place to keep those important things safe. Think firewalls, passwords, and other security features.
- Detect: Set up ways to quickly notice if something suspicious is happening, like unauthorized access or data breaches.
- Respond: Have a plan to deal with security incidents when they happen. This could mean isolating affected systems or contacting law enforcement.
- Recover: Know how to get your business back to normal after an incident. This might include restoring lost data or fixing compromised systems.
While effective, this five-fold approach needed an update to reflect the need for modern organizations to make decisions that support their cybersecurity strategies. That’s why NIST introduced a sixth function in its updated framework: Govern.
This new function emphasizes the importance of decision-making and oversight in your cybersecurity strategy. It serves as a directive for upper management to prioritize cybersecurity alongside other business risks like legal and financial challenges.
DoD Contractors Guide to CMMC Certification.
Focus on Supply Chain Risk Management (SCRM)
Remember the infamous SolarWinds and NotPetya attacks? Those were the wake-up calls the cybersecurity world needed because they made it crystal-clear that supply chain vulnerabilities pose a significant risk to an organization’s cybersecurity posture. Why? Because a single compromised third-party supplier is enough to render even the best internal security controls useless.
When the original CSF was introduced, organizations typically had fewer third-party relationships to manage, which made it easier to monitor and secure those connections. Fast-forward to today and cloud-based workloads now account for 75% of workloads in 1 out of 5 organizations, according to Fortinet’s 2021 report, and about 39% of respondents are already running at least half of their workload on the cloud.
The proliferation of third-party services, especially those delivering Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS), means that businesses now have to juggle a complex web of external dependencies. This increased complexity is precisely why NIST updated the CSF to include a focus on Supply Chain Risk Management (SCRM).
Specifically, the CSF 2.0 urges organizations to know and prioritize their suppliers by their importance to business operations, emphasizing that due diligence should be exercised before entering any formal relationships. It also calls for the integration of supply chain security practices into existing cybersecurity and enterprise risk management programs, while recommending continuous monitoring and periodic reviews of third-party vendors.
While the CSF 2.0’s focus on Supply Chain Risk Management is a significant leap forward, it’s worth noting that it’s not the only framework making strides in this area. The Cybersecurity Maturity Model Certification (CMMC), created by the U.S. Department of Defense, is another key initiative aimed at bolstering supply chain security. The emergence of multiple frameworks focused on supply chain risks underlines just how crucial this issue has become.
Expanded Scope: Now Aimed at Organizations of All Sizes
Originally, the NIST framework was devised to protect critical infrastructure, a focus that made sense given the catastrophic implications of security breaches in sectors like energy, finance, healthcare, and the defense industry. However, the cybersecurity landscape is now a flat field, with risks sprouting up everywhere. Schools, small businesses, and even local governments find themselves battling the same cyber threats as large corporations.
That’s why the NIST Small Business Cybersecurity Act, enacted in August 2018, mandated that NIST create “clear and concise resources” to help small businesses identify and manage their cybersecurity risks. As a result, the NIST CSF 2.0 is designed to shield not just the towering giants in banking or energy but also the mom-and-pop shops.
So, how exactly does the new framework make it easier for smaller players to jump on board? One major game-changer is the CSF 2.0 Reference Tool. This tool provides both human- and machine-readable versions of the Cybersecurity Framework 2.0.
Using the CSF 2.0 Reference Tool, users can also study Implementation Examples—real-world use cases and actionable guidance for each function’s subcategories. These examples serve as a practical roadmap for organizations, helping them navigate the often-confusing journey of implementing a cybersecurity framework.
The expanded scope and user-friendly nature of the CSF 2.0 are particularly advantageous for small and medium-sized businesses (SMBs) aspiring to become government contractors. In an era where federal agencies are intensifying their cybersecurity requirements, the ability to align with recognized standards is crucial. For example, the U.S. Department of Defense mandates that contractors responsible for safeguarding Covered Defense Information comply with the security requirements outlined in NIST Special Publication (SP) 800-171, which dovetails with the CSF.
6 Critical Cybersecurity Policies Every Organization Must Have
Conclusion: Don’t Wait, Act Now on Your Cybersecurity Posture
With its expanded focus on governance, supply chain risk management, and inclusivity for organizations of all sizes, the NIST Cybersecurity Framework 2.0 offers a valuable blueprint for any business serious about cybersecurity, and the final version is anticipated to be published in early 2024.
Unfortunately, the organizations that could benefit from the implementation of the framework’s numerous guidelines the most, SMBs, are the ones who will most likely find its high-level guidance insufficient to build a truly effective cybersecurity program. Instead, they may find themselves lost in the maze of the framework’s “implementation guidance” section, overwhelmed by the technical jargon and complex references to additional standards.
This is where we at OSIbeyond come in, providing comprehensive managed IT and cybersecurity services. With our help, the implementation of the guidelines set forth by the CSF 2.0 can be a painless process that will leave your data, your reputation, and your bottom line better protected.
Don’t wait for the final publication of the NIST Cybersecurity Framework 2.0 to enhance your organization’s cybersecurity posture—the risks are too great, and the stakes are too high. Schedule a meeting with us today.