What is NIST CSF 2.0?
The NIST Cybersecurity Framework (CSF) has been used for years as a comprehensive guide for organizations looking to improve their information security and risk management. Now the 2.0 version has been released, updating and improving the framework.
Going back to the beginning – the first version of NIST CSF (1.0) was released in 2014, and had a minor update in 2018 (Version 1.1), but last month’s update was the first major update to the CSF. One of the main goals with NIST CSF 2.0 was to make it easier to use, with more documentation and guidance, and ability to be used for all companies – SMB’s, mid-market commercial, and large corporations, whereas version 1.0 was developed for critical infrastructure and mainly considered large enterprise organizations.
The cybersecurity framework has 3 components – the Core, the Profiles, and the Tiers. The Core is the common set of cybersecurity activities, desired outcomes, and applicable references, and can be divided into 6 functions. Tiers are the way of measuring the level of capability that is being implemented, and profiles are the lists defining which items need to be addressed.
Our goal here is to focus on the Core and the requirements included in it, so that we understand what is actually included in the NIST CSF 2.0.
What are the requirements for NIST CSF 2.0?
The NIST CSF includes 6 functions:
Govern – This function fosters a culture of shared responsibility and commitment to cybersecurity. The subcategories define organizational context, risk management, roles and responsibilities, policies and procedures, and oversight – making sure that the organization has the core governance requirements to properly manage cybersecurity risks in a process-based and effective manner.
Identify – This function forms the cornerstone of the cybersecurity strategy. The subcategories for this function are regarding identifying and categorizing assets such as hardware, software, data, systems, applications, and personnel, and discovering risks and vulnerabilities by performing risk assessments and further monitoring risks.
Protect – Once an organization has identified WHICH assets need to be protected, this function stands as the organization’s first line of defense against cyber threats by defining HOW to protect the assets. The subcategories include asset control, awareness and training, data security for protecting integrity, availability, and confidentiality, platform security, and overall technology protection and resilience.
Detect – In order to get early warnings against security threats, the Detect function aims to act to find the anomalous behavior. The subcategories explain having security continuous monitoring and adverse event analysis.
Respond – In the event of a cyber attack, the Response function deals with incident response plans and actions that disaster recovery plans cannot meet. The subcategories here are incident response management, analysis, reporting, and mitigation. The goal here is to make sure that in the event of a cyber event, there is the least possible amount of downtime and impact on the business.
Recover – The last function is the crucial journey in the aftermath of a cyber attack. This includes the subcategories that deal with restoration activities for systems and services, and the crucial aspect of communication internally and externally.
Why should I implement NIST CSF 2.0?
One of the challenges that is frequently faced by companies is finding a comprehensive approach to bridging the organization’s business objectives with their security objectives, and integrating standards for security controls. It’s also important to understand that every business is so individual in terms of size, scope, and how they prioritize requirements, so finding a framework that addresses these challenges yet is flexible enough to apply for anyone, is crucial, and can be found in the NIST CSF, which is widely considered the golden-standard for building a cybersecurity program.
NIST recommends a 7-step process to establishing a cybersecurity program, and these steps are innately integrated with NIST CSF. Through implementing the structured approach to cybersecurity, with a 7-step process that guides organizations through prioritizing and scoping security efforts, conducting risk assessments, and creating targeted action plans, an organization can minimize its risk. The steps are:
- Prioritize and scope
- Orient the business
- Create a current profile
- Conduct a risk assessment
- Create a target profile
- Determine, analyze, and prioritize gaps
- Implement an action plan
Implementing the NIST CSF offers tangible benefits for organizations seeking to enhance their cybersecurity posture. A study showed that companies that adopt the NIST CSF see a significant reduction in cybersecurity incidents by up to 70%, highlighting its effectiveness in mitigating risks.
Other recent studies have highlighted NIST’s pivotal role in shaping cybersecurity standards, particularly within infrastructure firms and the private sector, where such standards remain undefined. Moreover, research suggests that NIST’s influence extends internationally, potentially establishing a universal standard that benefits businesses operating across borders and contributes to global cyber peace.
How do we achieve compliance?
To ensure compliance with the NIST CSF framework and effectively manage associated risks, it’s imperative to review all framework requirements and ascertain their fulfillment. Centraleyes, our automated Governance, Risk, and Compliance (GRC) platform, offers a comprehensive solution tailored to managing cyber-related risks. With a detailed built-in questionnaire that covers all requirements in the Core component of the NIST CSF in a practical way, and integrated with a risk register, Centraleyes streamlines the process of identifying, assessing, and mitigating cybersecurity risks. From determining appropriate controls to assigning responsibilities and tracking task completion, Centraleyes provides all the necessary tools for robust cybersecurity risk management.
Read more:
