But before we summarize the draft CSF 2.0 changes, why should you care?
NIST CYBERSECURITY FRAMEWORK IS THE STANDARD
“You can put the NIST Cybersecurity Framework to work in your business in these five areas: Identify, Protect, Detect, Respond, and Recover.”
As described by Vanta, “the NIST CSF compliance framework is only mandatory for federal agencies; however, if your company plans on doing business with the government as a contractor, partner, or vendor, you will likely need to comply with NIST CSF.
“Outside of federal compliance, the NIST framework is voluntarily adopted by many private sector organizations. Especially useful to small businesses, NIST CSF helps mitigate and respond to cybersecurity threats. The NIST framework can be customized to the individual needs and goals of each organization’s infrastructure.”
In my experience, most state and local governments adopt CSF as their framework of choice. There are many reasons for this, but state and local governments are often custodians of federal data. Following NIST makes sense and works.
WHAT’S DIFFERENT IN NIST CSF 2.0?
The NIST Cybersecurity Framework 2.0 initial public draft was released on Aug. 8. You can learn more details about that release and comments since version 1.1 here.
Dark Reading offered this article describing what’s different about this new draft:
“The new version 2.0 of the popular NIST Cybersecurity Framework has expanded beyond the original framework’s five functions of an effective cybersecurity program — identify, protect, detect, respond, and recover — and added a sixth, govern.
“‘It emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial and other risks as considerations for senior leadership,’ NIST’s new guidelines — still in the draft phase — said.
“The new framework is also intended to help support organizations of all sizes, the agency said.
“‘With this update, we are trying to reflect current usage of the Cybersecurity Framework, and to anticipate future usage as well,’ NIST’s lead developer of the framework, Cherilyn Pascoe, said in the CSF 2.0 release on Aug. 8. ‘The CSF was developed for critical infrastructure like the banking and energy industries, but it has proved useful everywhere from schools and small businesses to local and foreign governments.’”
Infosecurity Magazine offered this article, “NIST’s Cybersecurity Framework 2.0: Shaping the Future of Cyber Resilience.” Here’s an excerpt:
“The inclusion of the ‘Govern’ pillar as a new function is a very important addition and rounds out the previous core functions (Identify, Protect, Detect, Respond and Recover).
“Larry Whiteside Jr., CISO at RegScale and President of Cyversity, told Infosecurity that this pillar is the most significant change to the framework, with governance increasingly underpinning all aspects of cybersecurity.
“‘An organization can set all the policies it wants, but without a mandate and focus on governing those policies and the actions performed to enable and perform the functions that support the policies, none of it matters. Elevating governance to a CSF function will also promote alignment of cybersecurity activities with enterprise risks and legal requirements,’ he explained.”
I also like this description of the new changes from JD Supra. Read their full article, but here is one section:
- Additional guidance on CSF implementation and tailoring for risk.
- The draft provides improved and expanded guidance on implementing the CSF, especially for creating profiles, which tailor the CSF for particular situations.
- The draft also includes implementation examples for each function’s subcategories to help organizations, especially smaller firms, use the CSF effectively.
- One theme in both the revised and new controls is that CSF 2.0 features “risk acceptance” explicitly stated and greater discussion of “risk prioritization” and using safeguards “commensurate with risk.”
- Additional information on cybersecurity measurement and assessment.
- Version 2.0 clarifies the Framework implementation tiers to focus on cybersecurity governance, risk management, and third-party considerations.
- The importance of continuous improvement is emphasized through a new Improvement Category in the Identify Function, as well as improvements in guidance on developing and updating Profiles and action plans.
This YouTube video further defines what’s new in CSF 2.0:
In addition, you can attend this free online workshop from NIST to learn more in September.
FINAL THOUGHTS
The deadline for submitting comments is Nov. 4, 2023. I urge interested parties to get engaged and here’s how to submit comments to this draft.
In closing, I want to point out that NIST has been doing more international collaboration, and this CSF 2.0 has more of an international focus with global participation. See this July 2023 article on NIST international engagement. Here’s an excerpt:
“In the update to NIST CSF 2.0, NIST continues to work with the international community. At NIST’s February 2023 virtual workshop on the CSF 2.0 update, participants from Italian and New Zealand governments and Mexican industry spoke on panels. In addition, participants joined from several countries. We are continuing to learn and benefit from international use cases and look forward to hearing even more in the months to come as we release our full draft 2.0!”
I applaud this international focus on cybersecurity best practices, as our online worlds have never been more interconnected and cooperation and collaboration are vital to defeating cyber crime.
