Since its introduction in 2014, the NIST Cybersecurity Framework (CSF) has become a foundational cyber security standard. Originally devised for the critical sectors that support infrastructure and public services, its adoption as a source of reference internationally, means it now extends well beyond that.
The original executive order that spawned its development might still be a major part of its rationale, but its usefulness to organisations of all sizes, in all sectors and around the world has increased and expanded with the release of this second version. Importantly, NIST has worked closely with the ISO/IEC and other similar organisations in this latest version to ensure that there is greater alignment amongst international cyber security frameworks and controls.
The background and rationale for the CSF carries forward into Version 2, although significant changes have been made to update it in line with: (i) broader corporate governance considerations, (ii) new threats, (iii) emerging best practices and (iv) the changing state of global cyber security. These changes make the CSF a good framework for cyber security governance, compliance management and mapping. And a robust way to align frameworks and approaches across businesses with partners, suppliers and customers.
Origins of the CSF
Originally conceived to define a common language and approach to the cyber security risk management of systems, IT assets and data; the standard was divided into five areas of control or “functions”:
- Identify
- Protect
- Detect
- Respond
- Recover
These were then subdivided into categories and sub-categories for specific activities, defences and desired outcomes.
This hierarchical structure aimed to provide an approach that could address high level areas of management, and then zoom in on more detailed requirements where posture, security control gaps and improvements could be more accurately and usefully defined.
Modernisation of the CSF
NIST’s goal has been to draw from feedback and the experiences of cyber security stakeholders and practitioners, to learn lessons from past approaches to cyber risk management and the evolving practices necessary to manage cyber threats as they evolve. Cyber security will always be a discipline that doesn’t sit still, with attackers and defenders continually honing and evolving their strategies. The CSF provides a set of internationally recognised guidelines and practices for organisations to strengthen their cyber security strategies and outcomes.
Several changes have been made to the structure and content of the new Version of this standard. One is the security of supply chains. With business being increasingly interconnected, supplier cyber security has become a critical new factor for risk managers to worry about. So much so that the concept is now embedded in many regulatory frameworks such as those for Operational Resilience in the UK financial sector (FCA PS21/3), Supply Chain Risk Management Practices for Systems and Organisations (NIST SP 800-161Rev1) and the Security of Critical Infrastructure (SOCI) Act in Australia; to name just a few.
This latest Version also incorporates zero-trust principles that have become widely accepted as a baseline approach to reducing cyber security risk through improved information protection. Hence, authentication and identify management has an added focus.
The most notable change, however, has been the addition of a new function “pillar” to the original 5 (as listed above). This new function, GOVERN, represents the need for management across all aspects of security controls, risk management and decision making. So that the oversight of cyber security is more embedded in management processes and more closely aligned with corporate governance itself.
The new release also includes a range of helpful supporting documentation – organisational profiles that can be adopted, implementation examples and quick start guides – to simplify and streamline adoption.
Benefits for Organisations
NIST CSF has always been a widely trusted framework both locally and internationally. With the growing suite of NIST documents and their ongoing evolution from guidance to mandatory requirements in some sectors, like those regulated by CISA, NIST will continue to be a beacon in the cyber security risk management landscape. There is increasing collaboration between the governments of the “Five Eyes” nations and the frequent issuance of joint cyber security advisories by their security agencies (see here). This confirms that the advice and practices recommended by NIST and its like-minded organisations will continue to be sought from within the US and beyond.
The new version of the CSF provides a common lexicon and approach, that maps the wider cyber security risks to existing and familiar management practices, like the Australian Essential Eight (with its PREVENT – CONTAIN – RECOVER taxonomy); and the forthcoming UK DSIT Cyber Security Governance Code of Practice, which provides guidance for the corporate oversight of many of the principles and practices outlined in the CSF’s new “Govern” category.
Beyond this, the CSF provides methods to help prioritise controls and mitigate risk, allocate investment and resource efforts. It also facilitates easier interaction and collaboration between cyber security stakeholders (e.g. customers and suppliers, or cyber insurers and policy holders).
If nothing else, the adoption of CSF cyber security practices by an organisation shows a commitment to a cyber security framework, and alignment to good practices. Above all, however, it is an acknowledgement that just like any other enterprise risk, cyber security requires informed systematic practices in place for its effective ongoing management.
Recommendations for Implementation
As with any security standard, adopting CSF is a multi-stage activity with a number of streams of effort. This blog is focused on the developments in the latest release of NIST CSF 2.0 and is not intended to provide a guide to is deployment and adoption. That said, there are some obvious stages that can be used to break the process down to actionable pieces:
- Understand the current state of controls and security processes with reference to the CSF requirements.
- Map existing controls, defences and processes to the CSF functions, categories and subcategories.
- Create an uplift plan, based on the gaps identified, prioritised risks and the guidance available to address areas of non-conformance or vulnerability.
- Clarify and establish the roles and responsibilities for the controls and risk management strategies and processes.
- Establish processes and tools to allow continuous monitoring of activity and control performance – efficacy and coverage – across the organisation.
Conclusions
All standards evolve, and cyber security, with its rapidly changing technology and threat landscape, is no exception. This latest version, NIST CSF 2.0 is well suited to a broader range and size of organisations than its predecessor.
We’ve all watched as cyber security has changed from being a limited subset of IT to an enterprise-wide and board-level issue that can’t be ignored. Driven in part by ongoing digital transformation as well as increasing cyber security regulation and corporate governance, the CSF suite of resources provides an important focal point for the global cyber security sector.
Against this backdrop, the new NIST CSF is an important development and a major milestone on the road to improved and resilient cyber security. With its fundamental role in protecting the IT assets, systems and processes that support the operations of today’s businesses, NIST CSF 2.0 provides an important roadmap for both the US domestic and international cyber security sectors.
Products
Solutions
Learning & Resources
About Huntsman
