The NIST CSF is Scheduled For a Makeover
The NIST Cybersecurity Framework is a set of standards, techniques, practices, and procedures that coordinate the approach to mitigate cybersecurity risks. It has been translated into other languages and is widely used by both private and public sector organizations in and outside of the United States, demonstrating the success of this resource as a universal one.
The most recent revision to the information security framework was made in April 2018. Managing cybersecurity, and specifically supply chain risks, have significantly changed since then. In light of this, NIST plans for a significant update to the Framework, often referred to as CSF 2.0, based on stakeholder feedback, to reflect the evolving cybersecurity landscape and help organizations more easily and effectively manage cybersecurity risk.
Information, Please
NIST is requesting information regarding the use, suitability, and adaptability of the existing Cybersecurity Framework. They are also seeking information on the extent to which other NIST resources are used in conjunction with the NIST CSF to advance the NIST standards in cybersecurity and to inform the direction of the developing Cybersecurity Framework.
When the RFI was issued, Commerce Deputy Secretary Don Graves stated: “Every organization needs to manage cybersecurity risk as a part of doing business, whether it is in industry, government or academia…It is critical to their resilience and our nation’s economic security. There are many tools available to help, and the CSF is one of the leading frameworks for private-sector cybersecurity maintenance. We want private and public sector organizations to help make it even more useful and widely used, including by small companies.”
Read on to learn about the NIST CSF 2.0 concept paper that was based on the issues touched on in the RFI responses, and how the NIST CSF 2.0 is predicted to be tailored to meeting industry needs today.
NIST received more than 130 RFI responses and published a proposal for potentially significant changes in CSF 2.0 and related resources. NIST is still seeking public feedback, marking a “call to action” in areas where they are interested in collaboration among stakeholders to make improvements to the proposal.
Changes to the CSF that Tailor to the Industry
Broader Use and Expanded Scope
The original target demographic of the NIST CSF was critical national infrastructure organizations like utilities, telecoms, transport, and banking, however, it has been used much more widely across a vast swath of industries. To “embrace and enhance its broader use, the scope of CSF 2.0 will cover all organizations across government, industry, and academia, including, but not limited to, critical infrastructure.
“The scope was originally for critical infrastructure, as defined under [a US President’s] Executive Order, but over time, lots of organizations have started to use it,” says NIST’s Pascoe. “We don’t want organizations to have to make that determination about whether or not they’re critical infrastructure, which is sometimes a legal issue that comes with additional burdens, and so we’re proposing to broaden it to all organizations.”
Emphasis on SMBs
Following the publication of CSF 1.1, Congress has urged NIST to consider the cyber concerns of small and medium businesses, as well as institutions of higher education and state and local governments. NIST will place added emphasis on ensuring the 2.0 CSF framework is adaptable and helpful to a wider scope of organizations, regardless of sector, type, or size.
International Collaboration
The CSF to date has been adopted by several countries, and CSF 2.0 is expected to facilitate international collaboration and engagement. As part of the CSF 2.0, NIST will prioritize exchanges with foreign governments and continue to encourage foreign entities to provide input on potential changes to the framework.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
CSF Mappings to Other Frameworks
One recurring theme that came up in responses to the RFI was the need to improve the alignment of the framework with other NIST and non-NIST security frameworks. Respondents to the RFI expressed interest in mappings to close to 50 other cybersecurity frameworks. In the concept paper, NIST states that it would like to work with the community to “encourage and enable the production of mappings that support the CSF 2.0.
Reflect Changes But Remain Vendor Neutral
NIST plans on reviewing the CSF so that its applicability can continue to be leveraged by a wide scope of organizations, regardless of the technology or services they employ. At the same time, guidance that tailors to specific technologies will be provided by mapping to s[ecofoc standards, providing guidance, and providing implementation examples.
Additional Guidance on Implementation
To help clarify the meaning and intent of the framework guidelines, the CSF 2.0 will include “notational implementation examples of the concise, action-oriented process, and activities to help achieve the outcomes” of the CSF categories and subcategories.
New Govern Function
NIST believes that, although the five core NIST functions have gained widespread adoption, there are many benefits of NIST CSF expanding the existing functions to include a new “governance” function. The proposed governance function is described as “crosscutting”, in that it will inform and support the other functions and will make it clear that governance practices inform the prioritization and implementation of each of the current functions.
Supply Chain Risk Management
The new framework will, for the first time, place a significant emphasis on supply chain risk management, assisting and encouraging businesses to address third-party risks of all kinds, including those posed by non-technology supply chains, and cloud computing as well as by computers, software, and networking hardware. Respondents to the RFI unanimously agreed that supply chain risks are a top risk across organizations. They didn’t necessarily agree on how these concerns should be addressed in the CSF update. As of the publication of the concept paper, NIST believes the CSF 2.0 should include additional C -SCRM-specific outcomes to provide additional guidance to help address supply chain risks.
Centraleyes and CSF 2.0 Compliance
Compliance is an ongoing process that requires constant updates and adjustments to keep pace with changes in standards and technology. Our updated platform will reflect final changes to the CSF along with additional mappings to other standards. Centraleyes’s automated remediation planner identifies gaps and produces actionable remediation tickets with quantifiable risk tools that allow you to track and compare progress over time, supporting the collection and organization of required information before an audit.
As the cybersecurity policy landscape changes, you can trust Centraleyes to keep your compliance programs up-to-date with the CSF and other regulatory and voluntary security objectives.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
