NIST Cybersecurity Framework v2.0
In 2022, NIST celebrated 50 years of research in cybersecurity, developing best practice guidelines, standards, guidelines of privacy among other resources. This has made it possible to better secure existing technology and provide a platform for the secure development of future technologies.
Within these resources we can find the "Cybersecurity Framework" (CSF), a very useful tool for reducing cyber-risks in organizations. The CSF provides a common and simplified language, adapts to many technologies, life cycle phases, sectors and uses. It has a risk-based approach and conforms to international standards, this is partly what makes it highly recognized throughout the world.
The CSF is also supported by multiple perspectives, including from the private and public sector, and contributions from the academic sector, this goes some way to ensuring that a wide range of views and needs are taken into account. Additionally, it helps align legal/regulatory requirements with risk management and organizational priorities. In short, it helps us improve the security of systems, data and operations in general.
How is CSF v1.1 used?
A typical implementation process of this framework consists of the following steps:
- Risk assessment
The organization identifies critical assets, threats and vulnerabilities relevant to its operations.
- Create a current profile
The current status of the activities carried out in the field of cybersecurity (processes, controls, operations) is revealed and it is turned into a "current profile".
- Creating an objective profile
A profile is created that describes the cybersecurity objectives.
- Plan the improvement
Once the gap between both profiles is identified, priorities are established to improve the organization's security posture. An improvement plan is designed according to the objectives of the organization and the previous risk assessment.
The improvement plan is implemented, resources are assigned, and planned activities are carried out.
- Continuous monitoring and improvement
The safety posture is monitored, necessary continuous improvements are made and the process is repeated.
This Framework is a flexible tool that can be adapted to the needs of any organization, regardless of its size, sector or complexity. The implementation process will vary by organization, but the principles of the framework can be applied in any context to improve security posture.
NIST has initiated the process of updating the CSF, since 2018 we have its version 1.1. In this new 2.0 update, work is being done on the evolution of threats, mapping against standards and aims for a simpler format to allow organizations to address risks.
In this process, again, actively relying on stakeholder feedback (community, industry, academic sector) and seeking diverse opinions in the update process.
Activities proposed and carried out within the framework of the update
Among the ideas shared during the Workshop #2 (see in timeline) and also in the concept paper for the new version (pblished here ) these are some of the potential changes in the new version:
⦁ Explicitly acknowledge the wide use of the CSF
Knowing the wide use and relevance that this framework has taken in recent years, it is intended to make a change in the focus on the organizations to which it is directed. From the change of title, change of scope to not only include critical infrastructures or a particular market, but for all types of organizations regardless of their type or size.
In the same way, it is intended to increase collaboration and international commitment to the framework.
⦁ Stand as a framework, providing context and connections to existing standards and resources.
For version 2.0 of the CSF, not only will the level of detail be maintained, but also emphasis will be placed on relating it to other NIST frameworks. References will be maintained between these and other recognized cybersecurity frameworks that are up-to-date and available online.
As in the current version, special emphasis will be placed on remaining technology and vendor neutral, but reflecting changes in the most recognized cybersecurity practices.
⦁ Include updated and expanded guidance on implementation of the framework.
To support organizations in the introduction of the framework, it is intended to add implementation examples for the different Subcategories and the development of Profile templates.
The need to improve the CSF website to highlight implementation resources and ease of use is prioritized.
⦁ Emphasize the importance of cybersecurity governance.
In order to highlight the importance of management and governance tasks around the entire framework implementation process, it is proposed to incorporate a new Governance function that is transversal to the other functions. It is hoped that this will also improve the discussion on the relationship with risk management.
⦁ Highlight the importance of “Supply Chain Risk Management”
For this new version, it is intended to put special focus and specifically incorporate supply chain management (Cybersecurity Supply Chain Risk Management or CSRC), adding subcategories or complete categories that include it.
⦁ Advance in the understanding of the measurement and evaluation of cybersecurity.
It is not easy for organizations to generate clear measurements around cybersecurity, this new version aims to clarify how the CSF can support the measurement and evaluation of implemented cybersecurity programs.
Providing measurement examples and evaluations, updating the NIST Information Security Performance Measurement Guide (published here). In addition to providing guidance on the various levels of Framework Implementation.
It is clear that the proposed update to the Cybersecurity Framework (CSF) by NIST aims to keep up with the evolution of threats. The prioritization of the governance function, the expansion of supply chain risk management coverage driven by the attackers notorious focus, and the importance of maintaining technological neutrality and improving the relationship between the CSF and other cybersecurity frameworks were highlighted.
These changes will allow organizations from different sectors, types, and sizes to implement the CSF more optimally and adapt it to their specific needs, thus increasing the security of the entire ecosystem.