The National Institute of Standards and Technology (NIST) has recently released the draft of its Cybersecurity Framework (CSF) 2.0.
This new framework, set to be officially released in early 2024, represents a significant overhaul of the existing CSF, aiming to address changes in technology, risk, and the overall cybersecurity landscape.
The Evolution of the Cybersecurity Framework
The original CSF was first released in 2014 with the goal of reducing cybersecurity risk to critical infrastructure. However, despite being often touted as the gold standard for building a robust cybersecurity program, voluntary compliance with the framework has largely failed to generate effective cybersecurity. This has left critical infrastructure and other organizations vulnerable to serious cyber threats such as ransomware or denial of service attacks.
What’s New in CSF 2.0?
The updated framework, CSF 2.0, expands its scope beyond critical infrastructure to organizations of any size or sector. It elevates the importance of cybersecurity governance and emphasizes the importance of cyber supply chain risk management. However, like the original CSF, CSF 2.0 remains a voluntary framework that offers high-level guidance for managing cyber risk.
Expanded Scope
The CSF 2.0 expands its scope beyond critical infrastructure to organizations of any size or sector. This means that the framework is now applicable to a wider range of organizations, making it a more versatile tool for managing cybersecurity risks.
Emphasis on Cybersecurity Governance
The new framework elevates the importance of cybersecurity governance. This reflects the growing recognition that effective cybersecurity is not just about technology, but also about the policies, procedures, and structures that an organization has in place to manage cyber risks.
Cyber Supply Chain Risk Management
Another significant change in CSF 2.0 is the emphasis on cyber supply chain risk management. This is in response to the increasing realization that an organization’s cybersecurity is only as strong as the weakest link in its supply chain.
Updated CSF Core
The CSF 2.0 includes an updated version of the CSF Core, reflecting feedback on the previous version. The CSF Core provides a set of desired cybersecurity outcomes that organizations can use to guide their cybersecurity efforts.
Implementation Examples and Informative References
The CSF 2.0 does not contain Implementation Examples or Informative References of the CSF 2.0 Core, given the need to frequently update them1. Instead, these will be maintained online on the NIST Cybersecurity Framework website1.
Community Feedback
NIST is actively seeking feedback from the community on the draft revision of the CSF 2.0. This includes feedback on the best way to present the modifications from CSF 1.1 to CSF 2.0 to support transition.
In conclusion, the NIST Cybersecurity Framework 2.0 represents a significant evolution of the original framework, with changes designed to address the current and future challenges of cybersecurity. However, it remains a voluntary framework that provides high-level guidance, and the onus is still on individual organizations to develop and implement effective cybersecurity programs.
The Challenges Ahead
While the CSF 2.0 draft represents an improvement over the current NIST cybersecurity framework, it is unlikely to fundamentally improve the United States’ cybersecurity posture. The framework leaves to individual organizations the hard work of cobbling together an effective cybersecurity program from the alphabet soup of often-complex frameworks, standards, and guidelines referenced in the updated framework’s expanded “implementation guidance”.
Conclusion
In conclusion, while the NIST CSF 2.0 represents a step forward in addressing the evolving landscape of cybersecurity threats, it is clear that more needs to be done. As executives and decision-makers, it is crucial to not only understand the guidance provided by NIST but also to actively seek out and implement robust cybersecurity measures tailored to the specific needs and risks of your organization.
Remember, in the world of cybersecurity, complacency can be costly. Stay informed, stay vigilant, and most importantly, stay secure.
If you want to learn more about the NIST Cybersecurity Framework, you also might want to look here into this training.
About Tobias Faiss
Tobias is a Senior Engineering Manager, focusing on applied Leadership, Analytics and Cyber Resilience. He has a track record of 18+ year in managing software-projects, -services and -teams in the United States, EMEA and Asia-Pacific. He currently leads several multinational teams in Germany, India, Singapore and Vietnam. Also, he is the founder of the delta2 edventures platform where its mission is to educate students, and IT-Professionals to transition into an IT-Management role.
Tobias’ latest book is ‘The Art of IT-Management: How to Successfully Lead Your Company Into the Digital Future’. You can also contact him on his personal website tobiasfaiss.com