More paths lead to NIST's updated cybersecurity framework, which now includes quick-start guides aimed at specific audiences, success stories outlining other organizations' implementations, and a searchable catalog of informative references that allows users to cross-reference the framework guide with over 50 other cybersecurity documents.
Credit:
N. Hanacek/NIST
The National Institute of Standards and Technology (NIST) has updated the widely used Cybersecurity Framework (CSF), its landmark guidance document for reducing cybersecurity risk. The new edition 2.0 It is designed for all audiences, industry sectors, and types of organizations, from the smallest schools and nonprofits to the largest agencies and corporations, regardless of their level of cybersecurity sophistication.
In response to the numerous comments received about him preview version, NIST has expanded on the CSF master guide and developed related resources to help users get the most out of the framework. These resources are designed to provide different audiences with tailored pathways to the MCA and make the framework easier to put into practice.
"The CSF has been a vital tool for many organizations, helping them anticipate and address cybersecurity threats," said Laurie E. Locascio, Under Secretary of Commerce for Standards and Technology and Director of NIST. โCSF 2.0, which builds on previous versions, is not just a document. โIt is a set of resources that can be customized and used individually or in combination over time as an organization's cybersecurity needs change and its capabilities evolve.โ
The MEC 2.0, which supports the implementation of the National Cybersecurity Strategy, has an expanded reach that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector. It also has a new focus on governance, covering how organizations make and carry out informed decisions about cybersecurity strategy. The governance component of the CSF emphasizes that cybersecurity is an important source of business risk that senior managers should consider alongside others, such as finance and reputation.
"Developed by working closely with stakeholders and reflecting the latest cybersecurity management challenges and practices, this update aims to make the framework even more relevant to a broader swath of users in the United States and abroad" , according to Kevin Stine, head of NIST. Applied Cybersecurity Division.
Following a presidential Executive Order, NIST first published the CSF in 2014 to help organizations understand, reduce, and communicate about cybersecurity risks. The core of the framework is now organized around six key functions: identify, protect, detect, respond and recover, along with the newly added governance function of CSF 2.0. When considered together, these functions provide a comprehensive lifecycle view for cybersecurity risk management.
The updated framework anticipates that organizations will come to the CSF with different needs and degrees of experience in implementing cybersecurity tools. New adopters can learn from successes of other users and select your topic of interest from a new set of implementation examples and quick start guides designed for specific types of users, such as small businesses, enterprise risk managers, and organizations looking to protect their supply chains.
Credit:
Natasha Hanacek, NIST
a new CSF 2.0 Reference Tool now simplifies how organizations can implement the CSF, allowing users to explore, search and export data and details from the CSF master guide in human-consumable and machine-readable formats.
Additionally, CSF 2.0 offers a searchable catalog of informative references which shows how your current actions are reflected in the MCA. This catalog allows an organization to cross-reference the CSF guidance with more than 50 other cybersecurity documents, including others from NIST such as SP 800-53 Rev.5a catalog of tools (called controls) to achieve specific cybersecurity outcomes.
Organizations can also consult the Cybersecurity and Privacy Reference Tool (CPRT), which contains a set of interrelated, navigable, and downloadable NIST guidance documents that contextualize these NIST resources, including the CSF, with other popular resources. And CPRT offers ways to communicate these ideas to both technical experts and senior management, so that all levels of an organization can stay coordinated.
NIST plans to continue improving its resources and making the CSF an even more useful resource for a broader set of users, Stine said, and community feedback will be crucial.
"As users personalize CSF, we hope they will share their examples and successes, because that will allow us to expand their experiences and help others," he said. "That will help organizations, sectors and even entire nations better understand and manage their cybersecurity risks."
CSF is widely used internationally; Versions 1.1 and 1.0 have been translated into 13 languages, and NIST hopes that volunteers around the world will also translate CSF 2.0. Those translations will be added to NIST's growing portfolio of CSF resources. Over the past 11 years, NIST's work with the International Organization for Standardization (ISO), along with the International Electrotechnical Commission (IEC), has helped align multiple cybersecurity documents. ISO/IEC resources now allow organizations to build cybersecurity frameworks and organize controls using the functions of the CSF. NIST plans to continue working with ISO/IEC to continue this international alignment.
