Next DLP Blog

What’s New in the NIST Cybersecurity Framework

Written by Katie Crowell | Sep 29, 2023 8:45:04 PM

The US government has long been concerned with cybersecurity. This is particularly true for critical infrastructure, including energy production, telecommunications, banking, healthcare, food and agriculture, emergency services, and other industries. In 2013, President Obama issued Executive Order 13636 calling for “Improving Critical Infrastructure Cybersecurity.”  The Order included a requirement to develop a Cybersecurity Framework that organizations could leverage to manage cybersecurity risk. 

The NIST Cybersecurity Framework

The National Institute of Standards and Technology (NIST) was entrusted with creating the framework. In February 2014, NIST introduced version 1.0 of the Cybersecurity Framework (NIST CSF). The NIST CSF has three primary components. 

The Framework Core describes activities, outcomes, and references about aspects and approaches to cybersecurity. In NIST CSF v1, it was composed of five “Functions,” with each Function having one or more Categories of activities that organizations can adopt to reduce risk. The five functions of CSF 1.0 and 1.1 are:

 

 
  • Identify: Develop the ability to have visibility to critical assets and information, assess risk from vulnerabilities, and plans for addressing risk.
  • Protect: Activities that address safeguards to ensure the delivery of CI services. This includes access to sensitive systems, employee training, and information protection.
  • Detect: The ability to monitor all resources for threats and anomalous activity and identify cybersecurity events.
  • Respond: Describes activities required in the event of an attack, including Incident response, analysis, and communications
  • Recover: The Function covers cyber resilience and activities needed to recover from a cybersecurity event.

The Framework Implementation Tiers provide a structure for gauging and communicating organizations' cybersecurity risk management approaches. Tiers range from “Partial” (Tier 1) where risk management is ad hoc, to “Adaptive” (Tier 4) where organizations have a dynamic and evolving approach to cybersecurity risk management.

The Framework Profile is a list of security activities and desired outcomes an organization has selected based on their specific cybersecurity goals, risk tolerance, regulatory requirements, and business objectives.

NIST CSF V2

As the threat landscape evolves, so too should security countermeasures. NIST issued an update to the CSF in 2018. In early 2022, NIST decided to revisit the CSF again. Their early goal was to encourage adoption of the CSF across organizations beyond the critical infrastructure industries, including small businesses and schools. After a Request for Information, hundreds of comments from industry participants, and a series of workshops to receive feedback, NIST released the CSF 2.0 draft on August 8, 2023. Comments on the draft are due November 4 and a final release of CSF 2.0 is expected in early 2024.

 

 

NIST Community Engagement

 

What’s New in CSF 2.0

The new draft includes several major changes based on the security landscape and stakeholder feedback. These include:

Recognition of its broad use: The CSF was created in response to threats to the nation’s critical infrastructure. Recognizing the adoption of the CSF across organizations of all sizes and industries, the official name of the CSF has been changed from “Framework for Improving Critical Infrastructure Cybersecurity” to simply “Cybersecurity Framework.” 

Increase guidance on CSF implementation: NIST has updated and expanded the Framework Profiles guidance and added implementation examples. Also included are templates organizations can use or adapt to their needs to assist with rolling out the framework.

An emphasis on supply chain security: Before the Target breach in 2013, many organizations assumed supply chain security was not their responsibility. Today more organizations recognize that their vendors and partners can represent a weak link in their defenses. The updated CSF adds “Cybersecurity Supply Chain Risk Management as a Category in the new Governance Function. It includes defining processes for identifying, managing, and monitoring supply chain risk.

Relate CSF to other Frameworks and resources: Navigating the various standards can be confusing. CSF 2.0 includes new references to NIST Privacy Framework, NICE Workforce Framework for Cybersecurity (SP 800-181), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (SP 800-161r1), and others.

Addition of security governance: NIST has added a sixth Function to the Framework Core: Govern. The Govern Function is designed to “Establish and monitor the organization’s cybersecurity risk management strategy, expectations, and policy.” In addition to the Supply Chain Risk Management Category discussed above, it includes activities for:

NIST Cybersecurity Framework
  • Organizational Context recognizes the need to define and reach an agreement on the organization’s “mission, stakeholder expectations, and legal, regulatory, and contractual requirements.”
  • Risk Management Strategy covers determining and communicating the organization’s risk management objectives, risk appetite, and standards for determining and documenting risk.
  • Roles, Responsibilities, and Authorities ensure senior leadership recognizes its responsibility and accountability for cybersecurity risk and “fosters a culture that is risk-aware, ethical, and continually improving.”
  • Policies, Processes, and Procedure covers defining and assigning cybersecurity roles and responsibilities.
  • Oversight to ensure that strategies, performance, and outcomes are reviewed and adjusted as necessary.
What’s Next

Because of the broad adoption of the CSF beyond the critical infrastructure industries, we expect organizations to continue to view CSF as a robust template for improving their cybersecurity. In particular, the emphasis on supply chain security will trickle down to midsize businesses. Midsize businesses often rely on an extensive supply chain network to compete with more prominent players, magnifying the risk of a supply chain breach. 

Security teams should also remember that these changes do not reduce the Frameworks focus on data security. The Govern Function is additive. Teams must continue to focus on the other functions of identifying security risks, detecting attacks and compromises, responding to incidents, and recovering from cybersecurity attacks. 

Are you curious how Reveal can help with the six functions in the proposed v2,0 framework? Book a demo and see how our out-of-the-box policies support compliance efforts on day one. Our policy-free deployment helps you discover risks you weren’t even aware of for future-proofed Data Loss Prevention and Insider Risk Management.