Todd Welfelt
This month Senior Governance, Risk, and Compliance Advisor Todd Welfelt explains the changes and updates to the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework and how your organization can implement it.
The update promises significant improvements over the current version 1.1, offering enhanced guidance to organizations managing cybersecurity risks and can be used to help organizations of all sizes identify security risks and build effective security programs to protect their business. It is slated to be finalized sometime in the first quarter of 2024.
Update: The NIST CSF 2.0 Framework has been finalized as of February 26, 2024. You can read the final version here.
Changes and Updates from CSF 1.1
NIST CSF v1.1 provides a solid foundation to help businesses understand their cybersecurity risk posture and implement the components necessary for a robust Cybersecurity Program.
CSF 1.1 has five top-level categories named Functions – Identify, Protect, Detect, Respond, and Recover. The Functions provide guidance to mitigate the risk and impact of a significant incident resulting from gaps within the security network.
The Govern Function
NIST CSF 2.0 enhances the foundation by adding a sixth Function. The Govern Function encompasses risk and management as well as providing steps to establish overall maturity in the Cybersecurity Program. This approach helps an organization develop and define their overall risk management strategy, implement effective policies and procedures, and establish a supply chain risk management process. These steps provide a common reference point for both Executive and IT Teams, helping overall decision-making and risk management.
The Govern Function is a crucial part of any Cybersecurity Program yet is often undervalued and overlooked because it is considered too difficult, time-consuming, and ineffective; NIST adding it to their newest framework highlights how important this Function will be for organizations.
In addition to the Govern Function, the revised CSF provides more clarity and guidance within the categories, subcategories, definitions, and concrete examples for each item to reduce confusion and ambiguity. Organizations should be able to more effectively apply the guidance provided by the Framework to their organization.
This new structure provides a familiar structure for organizations that have used CSF previously and adds crucial guidance for implementation techniques to address the Framework recommendations.
The first set of guidance is provided in the Informative References section. This section may refer to additional NIST publications or other reference material to help guide an organization in making well-reasoned risk decisions for their organization.
The second section provides concise, action-oriented steps to help achieve the outcomes recommended in the subcategories. This helps ease concerns for organizations adopting the CSF by providing implementation options and ideas.
How to Implement the CSF Effectively in Your Organization
NIST CSF is a framework developed to help organizations identify cybersecurity risk factors within their environment and develop mitigation strategies to reduce their overall risk.
The CSF provides a comprehensive list of actions, activities, policies, and procedures to mitigate the likelihood and impact of a cybersecurity event.
No framework or security program will ever completely eliminate this risk, but using a standard Framework to identify areas of improvement as well as areas of vulnerability helps provide insight into the most effective use of resources for overall security.
An example would be using Function Identify (ID) Category Asset Management (AM) subcategory 1 (ID.AM-01), which states, ‘Inventories of hardware managed by the organization are maintained’.
The recommendation doesn’t require the use of specific tools but leaves it up to the organization to determine how to meet this recommendation.
Organizations will have unique environments, talents, regulatory requirements, and overall objectives. These should be considered during the review process and implemented to meet the desired outcome.
The six Functions and 22 Categories provide insight into the security practices of an organization, covering everything from overall oversight to recovery testing and execution.
The first step in implementing the Framework is to accurately assess the effectiveness of current practices within the environment for each subcategory. Once this current profile is identified, a desired target profile can be developed, and a strategy developed to meet this target. Once progress has been made, the assessment process can begin again to ensure the overall security process continues.
Conclusion
The updated version of NIST CSF provides significant improvements from the original version. These improvements can help identify current risks to practices, policies, procedures, and activities and provide implementation strategies to help organizations mitigate cyber security risks. Adding the Governance Function provides oversight, repeatability, and top-level risk management strategies to enable Executive and Technical teams to have a common frame of reference for risk management.
If your organization is looking to implement the latest version of the National Institute of Standards and Technology's (NIST) Cybersecurity Framework 2.0, then reaching out to Todd Welfelt or our advisory services team is a wise decision.
Our advisory services team can provide practical guidance and assistance in implementing the NIST CSF 2.0 and is well-equipped to help your organization navigate the proposed changes and updates in the framework.
Don't hesitate to contact us if you need help in meeting and exceeding your compliance goals. Together, we can ensure that your organization effectively manages cybersecurity risks and builds a robust security program.
Additional Resources
NIST CSF 2.0 Timeline
Should I use CSF 1.1 or wait for CSF 2.0?
"NIST expects to publish CSF 2.0 early in 2024. Stakeholders are encouraged to use Framework 1.1 during the update process. Recognizing the investment that organizations have made to implement the Framework, NIST will single out changes made in CSF 2.0 to ease the transition for users." - NIST.gov
Todd Welfelt has an Information Technology career spanning more than 25 years.
Todd has turned his extensive experience with hands-on management and maintenance of computer systems into practical assessment and implementation of security tools to meet the
needs of compliance frameworks, as well as provide real-world risk reduction.