Listen to post:
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 1.1 has been a critical reference to help reduce or mitigate cybersecurity threats to Critical Infrastructures. First launched in 2014, it remains the de facto framework to address the cyber threats we have seen. However, with an eye toward addressing more targeted, sophisticated, and coordinated future threats, it was universally acknowledged that NIST CSF 1.1 required updating.
NIST has released a public draft of version 2.0 of their Cybersecurity Framework (CSF), which promises to deliver several improvements. However, to understand the impact of this update, it helps to understand how CSF v1.1 brought us this far.
Every organization in today’s evolving global environment is faced with managing enterprise security risks efficiently and effectively. Cybersecurity is daunting; depending on your industry vertical, adhering to an intense list of regulatory and compliance standards only adds to this nightmare. Whether it’s the International Organization for Standardization (ISO) 27001, Information Systems Audit and Controls Association (ISACA) COBIT5, or other such programs, it is often confusing to know how or where to start, but they all specify processes to protect and respond to cybersecurity threats.
This was the impetus behind the National Institute of Standards and Technology (NIST) developing the Cybersecurity Framework (CSF). NIST CSF references proven best practices in its Core functions: Identify, Protect, Detect, Respond, and Recover. With this framework in place, organizations now have tools to better manage enterprise cybersecurity risk by presenting organizations with the required guidance.
The development of NIST CSF version 2.0 was a collaboration of industry, academic, and government experts across the globe, demonstrating the intent of adapting this iteration of the CSF to organizations everywhere, and not just in the US. It’s focused on mitigating cybersecurity risk to industry segments of all types and sizes by helping them understand, assess, prioritize, and communicate about these risks and the actions to reduce them.
To deliver on this promise, NIST CSF 2.0 highlights several core changes to deliver a more holistic framework. The following key changes are crucial to improving CSF to make it more globally relevant:
- Global applicability for all segments and sizes
- The previous scope of NIST CSF primarily addressed cybersecurity for critical infrastructure in the United States. While necessary at the time, it was universally agreed that expanding this scope was necessary to include global industries, governments, and academic institutions, and NIST CSF 2.0 does this.
- Focus on cybersecurity governance
- Cybersecurity governance is an all-encompassing cybersecurity strategy that integrates organizational operations to mitigate the risk of business disruption due to cyber threats or attacks. Cybersecurity governance includes many activities, including accountability, risk-tolerance definitions, and oversight, just to name a few. These critical components map neatly across the five core pillars of NIST CSF: Identify, Protect, Detect, Respond, and Recover. Cybersecurity governance within NIST CSF 2.0 defines and monitors cybersecurity risk strategies and expectations.
- Focus on cybersecurity supply chain risk management
- An extensive, globally distributed, and interconnected supply chain ecosystem is crucial for maintaining a strong competitive advantage and avoiding potential risks to business continuity and brand reputation. However, an intense uptick in cybersecurity incidents in recent years has uncovered the extended risk that exists in our technology supply chains. For this reason, integrating Cybersecurity Supply Chain Risk Management into NIST CSF 2.0 enables this framework to effectively inform an organization’s oversight and communications related to cybersecurity risks across multiple supply chains.
Integrating Cybersecurity Risk Management with Other Domains Using the Framework
NIST CSF 2.0 acknowledges that no one framework or guideline solves all cybersecurity challenges for today’s organizations. Considering this, there is alignment to several important privacy and risk management frameworks included in this draft:
- Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations – NIST SP 800-161f1
- NIST Privacy Framework
- Integrating Cybersecurity and Enterprise Risk Management – NIST IR 8286
- Artificial Intelligence Risk Management Framework – AI 100-1
Alignment to these and other frameworks ensures organizations are well-equipped with guidelines and tools to facilitate their most critical cybersecurity risk programs holistically to achieve their desired outcomes.
Framework Tiers to Characterize Cybersecurity Risk Management Outcomes
NIST CSF 2.0 includes framework tiers to help define cybersecurity risks and how they will be managed within an organization. These tiers help identify an organization’s cybersecurity maturity level and will specify the perspectives of cybersecurity risk and the processes in place to manage those risks. The tiers should serve as a benchmark to inform a more holistic enterprise-wide program to manage and reduce cybersecurity risks.
Using the Framework
There is no one-size-fits-all approach to addressing cybersecurity risks and defining and managing their outcomes. NIST CSF 2.0 is a tool that can be used in various ways to inform and guide organizations in understanding their risk appetite, prioritize activities, and manage expectations for their cybersecurity risk management programs. By integrating and referencing other frameworks, NIST CSF 2.0 is a risk management connector to help develop a more holistic cybersecurity program.
Cato SASE Cloud and NIST CSF
The Cato SASE Cloud supports the Cybersecurity Framework’s core specifications by effectively identifying, mitigating, and reducing enterprise security risk. Cato’s single converged software stack delivers a holistic security posture while providing extensive visibility across the entire SASE cloud.
Our security capabilities map very well into the core requirements of the NIST CSF to provide a roadmap for customers to comply with the framework. For more details, read our white paper on mapping Cato SASE Cloud to NIST CSF v1.1.