NIST CSF 2.0 released, to help all organizations, not just those in critical infrastructure

The National Institute of Standards and Technology (NIST) has updated its widely utilized Cybersecurity Framework (CSF), a key document for mitigating cybersecurity risks. The latest version, 2.0, is tailored to cater to a broad range of audiences, spanning various industry sectors and organizational sizes – from small schools and non-profits to major agencies and corporations. This update is relevant for all, irrespective of their level of expertise in cybersecurity.

NIST has expanded the CSF’s core guidance and developed related resources to help users get the most out of the framework. These resources are designed to provide different audiences with tailored pathways into the CSF and make the framework easier to implement.

“The NIST CSF 2.0 update significantly impacts the security of software supply chains, addressing the integration of open source, commercial components, in-house developed software, and Commercial Off-The-Shelf (COTS) products. NIST CSF 2.0 could be a key instrument for helping CISOs better define and build up controls that will improve security outcomes, providing direction to address critical asset protection, reduce or eliminate risk of material impact, and prevent any breach of duty for failing to adhere to regulatory and compliance regulations,” Saša Zdjelar, Chief Trust Officer (CTrO) at ReversingLabs, told Help Net Security.

Zdjelar outlines a concise overview of its implications:

Comprehensive risk management: CSF 2.0 emphasizes the need for robust risk management strategies that cater to the diverse nature of software components. This approach is critical for identifying and mitigating threats, defects, and more across open-source libraries, commercial software, in-house developments, and COTS products, ensuring comprehensive coverage of potential security risks.

Integrated governance: The update advocates for integrating software supply chain security within the broader organizational risk framework. This ensures that security considerations for all software components align with the organization’s overall risk management strategy, facilitating a unified approach to governance.

Adaptive risk management: Recognizing the dynamic landscape of software supply chains, CSF 2.0 highlights the importance of adaptive risk management practices. This flexibility allows organizations to quickly respond to emerging threats and vulnerabilities, irrespective of whether they affect open source projects, commercial offerings, or proprietary developments.

Security-conscious culture: The framework underlines the role of organizational culture in cybersecurity. By fostering a security-conscious environment, organizations encourage all stakeholders to prioritize security in their operations, which is essential for safeguarding software supply chains that utilize a mix of open source, commercial, in-house, and COTS components.

Making the framework more relevant

The CSF 2.0, which supports the implementation of the National Cybersecurity Strategy, has an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector. It also has a new focus on governance, which encompasses how organizations make and carry out informed decisions on cybersecurity strategy.

The CSF’s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others, such as finance and reputation.

“Developed by working closely with stakeholders and reflecting the most recent cybersecurity challenges and management practices, this update aims to make the framework even more relevant to a wider swath of users in the United States and abroad,” according to Kevin Stine, chief of NIST’s Applied Cybersecurity Division.

NIST CSF 2.0 core

The framework’s core is now organized around six key functions: Identify, Protect, Detect, Respond, and Recover, along with CSF 2.0’s newly added Govern function. When considered together, these functions provide a comprehensive view of the life cycle for managing cybersecurity risk.

The updated framework anticipates that organizations will come to the CSF with varying needs and degrees of experience implementing cybersecurity tools. New adopters can learn from other users’ successes and select their topic of interest from a new set of implementation examples and quick-start guides designed for specific types of users, such as small businesses, enterprise risk managers, and organizations seeking to secure their supply chains.

A new CSF 2.0 Reference Tool now simplifies the way organizations can implement the CSF, allowing users to browse, search and export data and details from the CSF’s core guidance in human-consumable and machine-readable formats.

Searchable catalog and the Cybersecurity and Privacy Reference Tool

In addition, the CSF 2.0 offers a searchable catalog of informative references that shows how their current actions map onto the CSF. This catalog allows an organization to cross-reference the CSF’s guidance to more than 50 other cybersecurity documents, including others from NIST, such as SP 800-53 Rev.5, a catalog of tools (called controls) for achieving specific cybersecurity outcomes.

Organizations can also consult the Cybersecurity and Privacy Reference Tool (CPRT), which contains an interrelated, browsable and downloadable set of NIST guidance documents that contextualizes these NIST resources, including the CSF, with other popular resources. And the CPRT offers ways to communicate these ideas to both technical experts and the C-suite, so that all levels of an organization can stay coordinated.

Read more: