elevenM’s Vruta Chotalia looks at some of the key changes in the upcoming NIST Cybersecurity Framework 2.0 updates.
The National Institute of Standards and Technology (NIST) has recently released a draft public copy of a version 2.0 of their Cybersecurity Framework, with a range of significant updates. Public consultation is underway, and it will be interesting to see those areas that get the most attention.
First published in 2014, then updated in 2018, the framework provides an approach and guidance to organisations of any size, shape, and sector, enabling them to address cyber security risks. NIST CSF is the most widely accepted and used cyber security framework and includes a three-step approach: Understand & Assess, Prioritize, and Communicate.
The draft CSF 2.0 has significant updates in the areas of supply chain risks and governance. To my mind, the most significant change is the emphasis on the third-party risk management guidance. The addition of ‘Cybersecurity Supply Chain Risk Management’ (C-SCRM) is placed beneath the new core function of ‘Govern’. The establishment of a Supply Chain Risk Management Category enables sub-categories to provide outcomes for establishing, managing, monitoring, and improving an organisation’s C-SCRM. The C-SCRM category will also focus on supplier cyber security requirements meeting compliance with the organisation’s needs, and having appropriate contractual terms in place to ensure this.
The addition of a new core function — the aforementioned Govern — is another interesting development. Govern comes into the list of functions (Identify, Protect, Detect, Respond and Recover) as number one, however, it works across all the five other functions, to support complete achievement. According to NIST, the Govern function implies an understanding of organisational context for the establishment of cyber security strategy and cyber security supply chain risk management. This builds on the CSF governance content from CSF 1.1.
Other significant updates include a focus on practical implementation — the addition of templates (for profiles and action plans), examples of implementation and informative references. There is also an interesting addition of integration of CSF with other risk management domains; Privacy Framework and Enterprise Risk Framework, as in practical implementation there might be overlapping areas and events that require an organisation’s independent teams to work together in terms of strategy, definition, implementation, monitoring, and incident recovery.
The CSF v2.0 is yet to be finalised, so I would recommend cyber security professionals and organisations to participate in the webinars / discussion, weigh in on the suggested updates, and evaluate the impact of changes.
Summary of changes to NIST CSF functions
|CSF 1.1||CSF 2.0 draft|
|5 functions||6 functions|
|23 categories||22 categories|
|108 categories||106 categories (TBC)|
|Govern (GV)||Organizational Context|
|Risk Management Strategy|
|Cybersecurity Supply Chain Risk Management|
|Roles, Responsibilities, and Authoristies|
|Policies, Processes, and Procedures|
|Identify (ID)||Asset Management|
|Protect (PR)||Identity Management, Authentication, and Access Control|
|Awareness and Training|
|Technology Infrastructure Resilience|
|Detect (DE)||Continuous Monitoring|
|Adverse Event Analysis|
|Respond (RS)||Incident Management|
|Incident Response Reporting and Communication|
|Recover (RC)||Incident Recovery Plan Execution|
|Incident Recovery Communication|
Some important dates
NIST is accepting feedback and comments on the CSF draft 2.0 until November 4, and planning a release in early 2024.
There’s been two workshops so far, with NIST planning to have a third workshop sometime around mid-September (virtual and in-person). Registration details to be out soon on NIST website.
Find out more details on the previous workshops and comments received, as well as upcoming dates, visit the NIST website.
If you’re interested in learning more about NIST Cybersecurity Framework, or in how we can help you integrate the framework in your organisation, contact us.