When the National Institute of Standards and Technology released the Cybersecurity Framework in 2014, the cybersecurity industry and threat landscape confronted by organizations was quite different.
What a difference a decade makes.
NIST released version 2.0 of the CSF Monday, updating voluntary guidance for businesses of all sizes across sectors to reduce cyber risk. The overhaul, which got underway last year, plays catch-up to the current state of affairs.
The updated guide and resources places a new emphasis on the supply chain, a common attack vector, and governance, complementing efforts such as the new Securities and Exchange Commission’s rule requiring companies to report cybersecurity risk management, strategy and governance in annual filings.
“The CSF has always been intended to be used from the server room to the boardroom, and as server rooms are now no longer on-prem, the boardroom becomes even more important,” Cherilyn Pascoe, director of NIST’s National Cybersecurity Center of Excellence, said Monday at an event Aspen Digital hosted to discuss CSF 2.0.
While the initial CSF was built around five core functions — identity, protect, detect, respond and recover — version 2.0 adds govern because organizations need to incorporate cyber risk management throughout their corporate governance structure. The functions are organized to provide a full view of the cybersecurity risk management lifecycle.
Governance represents a big change and something NIST and stakeholders across industry weren’t ready to incorporate 10 years ago, NIST Director Laurie Locascio said at the Aspen Digital event.
The govern function, which is designed to help organizations measure the outcomes of the other five functions, addresses organizational context, policy, oversight, and supply chain risk management.
The new function advocates for structured risk management strategies and a clear delineation of responsibilities, according to Callie Guenther, senior manager of cyber threat research at Critical Start. The emphasis on the supply chain reflects a growing recognition of the interconnected nature of cybersecurity risks.
NIST paired its CSF 2.0 release with a collection of resources to make the guidance easier for businesses to use and put into practice across their operations. This includes new implementation examples, a reference mapping tool that links the framework to other cybersecurity recommendations, and quick-start guides for specific audiences and user types.
While the initial release served a long run, the evolution of malicious activity and technological change requires NIST to continue updating guidance. These amendments are coming along in tandem with efforts elsewhere.
The White House’s national cybersecurity strategy and the Cybersecurity and Infrastructure Security Agency’s cybersecurity performance goals complement NIST’s CSF 2.0 while regulators and sector-risk management agencies address risk management for their respective industries.
“Compliance and regulatory controls are significant for organizations in 2024, with frameworks like CSF 2.0 as a core foundation easily overlayed with other frameworks specific to other controls and verticals,” Ken Dunham, cyber threat director at Qualys, said via email.
Every organization has the responsibility to cover and adhere to multiple forms of compliance and frameworks, Dunham said.
