The National Institute for Standards and Technology (NIST) has recently updated its Cybersecurity Framework to address the diverse needs of a wider range of users and reflect the latest cybersecurity challenges and management practices. This update, known as Cybersecurity Framework 2.0, marks a significant evolution from the original framework released in 2014, which was primarily focused on critical infrastructure. The new version aims to make cybersecurity risk mitigation more accessible to organizations of all sizes and industries, including small businesses, schools, and nonprofits, regardless of their level of cybersecurity sophistication.

According to Laurie E. Lozascio, Under Secretary of Commerce for Standards and Technology and NIST Director, the CSF 2.0 is more than just a single document – it is a suite of resources that can be customized over time to meet the unique needs of different organizations. The updated framework introduces a new function called Govern, in addition to the existing core functions of Identify, Protect, Detect, Respond, and Recover. This addition underscores the importance of governance in cybersecurity strategy and emphasizes that cybersecurity is a significant enterprise risk that requires careful management.

One of the key features of CSF 2.0 is its focus on supply chain risks, a growing concern in the cybersecurity landscape. The framework includes a Cybersecurity and Privacy Reference Tool (CPRT) that allows users to search, extract, and export data from the core guidance in both human-readable and machine-readable formats. Additionally, a searchable catalogue of informative references enables organizations to cross-reference CSF guidance with over 50 other cybersecurity documents, including NIST’s SP 800-53 Rev. 5.

The CPRT also provides a set of NIST guidance documents that can be easily accessed and communicated to technical experts and executives within an organization, promoting coordination and alignment across all levels. Furthermore, NIST is actively expanding the reach of its resources by translating CSF versions 1.1 and 1.0 into 13 languages, with plans to translate CSF 2.0 through global volunteer efforts. The collaboration between NIST, ISO, and IEC is aimed at aligning cybersecurity documents and enabling organizations to build frameworks and implement controls in line with CSF functions.

Experts in the cybersecurity field have lauded the updates made in CSF 2.0. Jason Soroko, Senior Vice President of Products at Sectigo, highlighted the inclusion of identity management as a core element of the framework, emphasizing the valuable guidance provided by NIST to navigate through its resources effectively. Claude Mandy, Chief Evangelist at Symmetry Systems, commended NIST for continuously updating the framework to address the evolving security needs of modern organizations, particularly the explicit inclusion of governance as a key function in CSF 2.0.

In conclusion, NIST’s Cybersecurity Framework 2.0 represents a significant step forward in enhancing cybersecurity resilience and risk management for a broader range of users. By incorporating new functions, addressing supply chain risks, and providing a wealth of resources and guidance, CSF 2.0 aims to empower organizations of all sizes and industries to enhance their cybersecurity posture and protect against ongoing threats. NIST’s commitment to ongoing enhancement and collaboration underscores its dedication to supporting organizations in understanding and managing cybersecurity risks effectively.

Source link