The National Institute of Standards and Technology has updated its Cybersecurity Framework for 2024. Version 2.0 of the NIST CSF, the first major update since the framework was released a decade ago, was created with the goal of expanding the primary audience from critical infrastructure to all organizations. In general, the NIST CSF aims to standardize practices to ensure uniform protection of all U.S. cyber assets.
TechRepublic’s cheat sheet about the NIST CSF is an overview of this new government recommended best practice, and it includes steps on implementing the security framework.
The NIST CSF is a set of optional standards, best practices and recommendations for improving cybersecurity and risk management at the organizational level. The goal of the CSFl is to create a common language, a set of standards and an easily executable series of goals for improving cybersecurity and limiting cybersecurity risk.
NIST has thorough documentation of the CSF on its website, along with links to FAQs, industry resources and other information necessary to ease enterprise transition into a CSF world.
The NIST Framework isn’t just for government use — it can be adapted to businesses of any size. The CSF affects anyone who makes decisions about cybersecurity and cybersecurity risks in their organizations, and those responsible for implementing new IT policies.
The NIST CSF standards are optional — that is, there’s no penalty for organizations that don’t wish to follow them. This doesn’t mean the NIST CSF isn’t an ideal jumping off point for organizations, though — it was created with scalability and gradual implementation so any business can benefit and improve its security practices and prevent a cybersecurity event.
Although the NIST CSF is a publication of the U.S. government, it may be useful to businesses internationally. The NIST CSF is aligned with the International Organization for Standardization and the International Electrotechnical Commission. Version 2.0 will likely be translated by community volunteers in the future, NIST said. The cybersecurity outcomes described in the CSF are “sector-, country-, and technology-neutral,” NIST wrote in Version 2.0.
SEE: All of TechRepublic’s cheat sheets
The cybersecurity world is fragmented, despite its ever-growing importance to daily business operations. Organizations fail to share information, IT professionals and C-level executives sidestep their own policies and organizations speak their own cybersecurity languages. NIST’s goal with the creation of the CSF is to help eliminate the chaotic cybersecurity landscape we find ourselves in.
Former President Barack Obama signed Executive Order 13636 in 2013, titled Improving Critical Infrastructure Cybersecurity, which set the stage for the NIST Cybersecurity Framework that was released in 2014.
Former President Donald Trump’s 2017 cybersecurity executive order went one step further and made the framework created by Obama’s order into federal government policy.
NIST CSF Version 2.0 was created in concert with the March 2023 National Cybersecurity Strategy under President Joe Biden.
Version 2.0 of the NIST CSF expands the scope of the framework from critical infrastructure to organizations in every sector and adds new emphasis on governance. The governance portion positions cybersecurity as one of the most important sources of enterprise risk that senior business leaders should consider, alongside finance, reputation and others.
The NIST CSF 2.0 includes Quick Start guides, reference tools and organizational and community profile guides. The reference tools were created to provide organizations a simplified way to implement the CSF compared to Version 1.1.
Version 2.0 of the NIST CSF adds:
As of Version 2.0 of the NIST Framework, these are the six core activities: Identify, protect, detect, respond, recover and govern. These activities, or functions, of the NIST Framework are used to organize cybersecurity efforts at the most basic level.
The framework is divided into four components: Core, Organizational Profiles, Tiers and Informative References.
The core component is “a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes.” It is further broken down into three elements: Functions, categories and subcategories.
Profiles are both outlines of an organization’s current cybersecurity status and roadmaps toward CSF goals for stronger security postures. NIST said having multiple profiles — both current and goal — can help an organization find weak spots in its cybersecurity implementations and make moving from lower to higher tiers easier.
Profiles help connect the functions, categories and subcategories to business requirements, risk tolerance and resources of the larger organization it serves.
There are four tiers of implementation, and while CSF documents don’t consider them maturity levels, the higher tiers are considered more complete implementation of CSF standards for protecting critical infrastructure. NIST considers Tiers useful for informing an organization’s current and target Profiles.
The Informative References provided with Version 2.0 of the CSF are documentation, steps for execution, standards and other guidelines. A prime example in the manual Windows update category would be a document outlining steps to manually update Windows PCs. In Version 2.0, Informative References, Implementation Examples and Quick-Start Guides can be found through the NIST CSF website or the CSF document.
As the needs of organizations change, NIST plans to continually update the CSF to keep it relevant. Updates to the CSF happen as part of NIST’s annual conference on the CSF and take into account feedback from industry representatives, via email and through requests for comments and requests for information NIST sends to large organizations.
The NIST CSF affects everyone who touches a computer for business. IT teams and CXOs are responsible for implementing it; regular employees are responsible for following their organization’s security standards; and business leaders are responsible for empowering their security teams to protect their critical infrastructure. Specifically, the NIST CSF 2.0’s new Govern function includes communication channels between executives, managers and practitioners — anyone with a stake in the technological health of the company.
The degree to which the NIST CSF will affect the average person won’t lessen with time either, at least not until it sees widespread implementation and becomes the new standard in cybersecurity planning.
Start working on implementing the CSF by visiting NIST’s Cybersecurity Framework website. Of particular interest to IT decision-makers and security professionals is NIST’s Framework Resources page, where you’ll find methodologies, implementation guidelines, case studies, educational materials, example profiles and more.
“The CSF does not prescribe how outcomes should be achieved,” NIST points out in the framework. “Rather, it links to online resources that provide additional guidance on practices and controls that could be used to achieve those outcomes.”
The NIST CSF can improve the security posture of organizations large and small, and it could potentially position you as a leader in forward-looking cybersecurity practices or prevent a catastrophic cybersecurity event.
24World Media does not take any responsibility of the information you see on this page. The content this page contains is from independent third-party content provider. If you have any concerns regarding the content, please free to write us here: contact@24worldmedia.com