NIST 2.0's Latest Draft Introduces Major Control Areas
11/1/2023
The updated controls statements and draft NIST Cybersecurity Framework (CSF) 2.0 material reflect a significant evolution from prior versions of NIST, most notably from the widely used NIST CSF 1.1. The changes primarily aim to enhance the framework's adaptability, usability, and overall effectiveness in addressing the evolving landscape of cybersecurity threats and challenges. Some of the key differences between these two versions include the following.
1 Emphasis on Organizational Context:
Organizational Context: The "Organizational Context" function in NIST CSF 2.0 recognizes the significance of understanding the organization's mission, stakeholders, legal, regulatory, and contractual obligations, including privacy requirements. This emphasis on context underscores the need for organizations to align their cybersecurity strategies with their overall business objectives.
2. Enhanced Usability, Adaptability and Risk Management:
Dynamic Nature: NIST CSF 2.0 acknowledges that cybersecurity risks are dynamic and ever-changing. This version encourages organizations to be more adaptive by introducing new concepts like the "Supply Chain Risk Management" function, emphasizing the need for flexibility in addressing security concerns.
Emphasis on Stakeholder Engagement: The new version incorporates the role of stakeholders and their expectations into the governance and risk management functions. This stakeholder engagement reflects a broader, more inclusive approach to addressing cybersecurity concerns.
3. Integration with Privacy:
Incorporation of Privacy: NIST CSF 2.0 recognizes the importance of privacy and its relationship with cybersecurity. This alignment is evident in the subcategories that now include addressing privacy and civil liberties obligations in the "Organizational Context" function, reflecting a more comprehensive approach to protecting data.
4. A Broader Range of Cybersecurity Activities:
Supply Chain Risk Management: NIST CSF 2.0 introduces the "Cybersecurity Supply Chain Risk Management" function to address the growing concerns surrounding supply chain security. This addition underscores the increasing significance of managing risks associated with suppliers and third parties, reflecting recent high-profile supply chain attacks.
Below is more detail regarding the "Organizational Context" function in the draft NIST CSF 2.0; future articles will explore more of the draft NIST CSF 2.0 and related documents and tools.
Relative to "Organizational Context" the draft requires organizations to have a comprehensive understanding of the specific circumstances and factors that surround their cybersecurity risk management decisions. This function emphasizes the importance of aligning cybersecurity strategies with the organization's mission, stakeholder expectations, legal, regulatory, and contractual requirements, and the evolving landscape of privacy obligations. Here's a breakdown of what this function entails:
Organizational Mission (GV.OC-01): This requirement necessitates that organizations understand their own mission or purpose. It ensures that cybersecurity risk management efforts are closely tied to the overall goals and objectives of the organization. By doing so, organizations can effectively prioritize and align their cybersecurity activities with their mission.
Stakeholder Expectations (GV.OC-02): Organizations are expected to identify and comprehend the needs and expectations of both internal and external stakeholders related to cybersecurity risk management. This entails understanding what various stakeholders, including employees, customers, partners, and regulators, expect in terms of security and privacy.
Legal, Regulatory, and Contractual Requirements (GV.OC-03): This subcategory highlights the necessity of understanding the complex web of legal, regulatory, and contractual obligations regarding cybersecurity. Organizations must not only be aware of these requirements but also manage and comply with them effectively. The updated framework acknowledges the growing significance of incorporating privacy obligations, reflecting evolving global privacy regulations like the GDPR and CCPA.
Critical Objectives and Services (GV.OC-04): The requirement to determine and communicate critical objectives, capabilities, and services is essential for organizations. This ensures that key components, upon which stakeholders rely, are identified and protected. It is about understanding what is crucial to the business and its stakeholders and establishing the necessary safeguards to secure them.
Outcomes and Dependencies (GV.OC-05): Organizations should also identify and communicate the outcomes, capabilities, and services they depend on. This includes understanding the technology, systems, and services that underpin the organization's operations. By acknowledging these dependencies, organizations can ensure that their cybersecurity strategies are designed to safeguard these critical elements.
In summary, the "Organizational Context" function within NIST CSF 2.0 underlines the importance of not just managing cybersecurity risks in isolation but integrating them into the broader organizational context. This ensures that cybersecurity measures align with the organization's mission, stakeholder needs, legal requirements, and the critical services upon which the business relies. It's a holistic approach that aims to improve overall cybersecurity effectiveness and strategic alignment with the organization's goals and values.
*Note, NIST release the latest draft of the CSF August 8th, 2023 and is accepting feedback until November 4, 2023. NIST expects to release a final version of CSF 2.0 in early 2024.
**All comments, opinions and material within this article represent the authors perspective alone and do not represent the view of former or current employers and/or clients.
NIST 2.0 is a Significant Upgrade
9/7/2023
Version 2.0 of the NIST Cybersecurity Framework represents a significant upgrade from Version 1.0, aligning with the dynamic nature of cybersecurity threats and technologies. It introduces a new Function, emphasizes risk management, addresses supply chain security, and provides clearer guidance for organizations. While both versions share the goal of improving cybersecurity, Version 2.0 offers a more robust and responsive framework to help organizations proactively manage cybersecurity risks and challenges in the modern digital landscape.
A review of NIST Cybersecurity Framework Version 1.0
1. Development and Purpose:
Version 1.0 was released in 2014 as a response to Executive Order 13636, which aimed to improve critical infrastructure cybersecurity. It provided a risk-based approach to cybersecurity, helping organizations identify, protect, detect, respond to, and recover from cyber threats.
2. Core Components:
Version 1.0 consisted of three core components: the Framework Core, the Framework Implementation Tiers, and the Framework Profile. The Framework Core included Functions (Identify, Protect, Detect, Respond, Recover), Categories, and Subcategories. The Implementation Tiers helped organizations gauge their cybersecurity maturity. The Framework Profile enabled organizations to customize cybersecurity practices according to their needs.
3. Flexibility:
Version 1.0 allowed organizations to adapt the framework to their specific industry, size, risk tolerance, and regulatory requirements. It encouraged the use of other standards and guidelines, fostering flexibility in implementation.
4. Feedback and Uptake:
Version 1.0 received positive feedback for its comprehensive yet adaptable approach. Many organizations across various sectors adopted it to enhance their cybersecurity posture.
NIST Cybersecurity Framework Version 2.0 is a Sigificant Upgrade
1. Development and Purpose:
Version 2.0, released in 2023, builds upon the foundation of Version 1.0. It acknowledges the evolving threat landscape, emerging technologies, and lessons learned from cybersecurity incidents. Version 2.0 aims to provide organizations with a more dynamic and actionable framework.
2. Core Components:
Version 2.0 retains the Framework Core but introduces an updated Functions and Categories structure, as well as Subcategories. It includes seven Functions: Govern, Identify, Protect, Detect, Respond, Recover, and Innovate. Categories and Subcategories have been updated and expanded, reflecting more specific cybersecurity practices.
3. Expansion of Functions:
Version 2.0 introduces the "Govern" function. The Govern function underscores the importance of leadership and governance structures within an organization. It highlights the need for clear roles and responsibilities at all levels, from executives to operational staff, to ensure that cybersecurity risks are effectively managed.
A central focus of the "Govern" function is risk management. It emphasizes the need for organizations to establish robust risk management processes that enable them to identify, assess, and prioritize cybersecurity risks. This includes understanding the organization's risk tolerance and aligning cybersecurity efforts accordingly.
Version 2.0 introduces the "Innovate" function, emphasizing the importance of continuous improvement and adaptation in cybersecurity. This addition recognizes the need for organizations to proactively address emerging threats and technologies.
4. Focus on Risk Management:
Version 2.0 emphasizes risk management as a core component across all Functions. It integrates risk considerations into decision-making processes, reflecting the critical role of risk assessment in cybersecurity.
5. Supply Chain Security:
Supply chain security is a prominent addition in Version 2.0, recognizing the growing importance of securing the technology supply chain. It introduces the "Cybersecurity Supply Chain Risk Management" category to address these concerns.
6. Improved Clarity and Integration:
Version 2.0 offers clearer guidance and improved integration of cybersecurity activities within an organization's overall risk management processes.
7. Adaptability and Scalability:
Like Version 1.0, Version 2.0 remains adaptable to various sectors, sizes, and regulatory environments. It encourages organizations to tailor the framework to their unique circumstances while addressing current and emerging challenges.
8. Response to Industry Feedback:
Version 2.0 incorporates feedback from industry stakeholders, including lessons learned from real-world incidents. It aims to be more actionable and relevant in today's rapidly changing cybersecurity landscape.
*Note, NIST release the latest draft of the CSF August 8th, 2023 and is accepting feedback until November 4, 2023. NIST expects to release a final version of CSF 2.0 in early 2024.
**All comments, opinions and material within this article represent the authors perspective alone and do not represent the view of former or current employers and/or clients.