NIST updates cybersecurity framework, emphasizing governance

Gaithersburg, MD, USA 01-30-2021: Entrance of the Gaithersburg Campus of National Institute of Standards and Technology ( NIST ), a Physical sciences lab complex under US department of commerce.
Version 2.0 of NIST's Cybersecurity Framework, often cited by financial regulators, provides a structured approach to enhancing an institution's cybersecurity.
Grandbrothers - stock.adobe.com

The federal agency in charge of maintaining technology standards has finalized the second version of its cybersecurity framework, a major update that is likely to lead more organizations to implement governance structures that prioritize cybersecurity in everyday operations across their organization.

The National Institute of Standards and Technology, or NIST, released the newest version of its Cybersecurity Framework, or CSF, on Monday, finalizing an August draft of version 2.0 of the framework, which is the primary cybersecurity standard for many financial institutions and an oft-cited standard against which regulators set their own regulations.

Compared to version 1.0 of the framework, released in 2014, the second version adds an emphasis on governance. The aim of this pillar is to ensure that an organization's "cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored."

The five other pillars of the CSF are identify, protect, detect, respond and recover.

"When considered together, these functions provide a comprehensive view of the life cycle for managing cybersecurity risk," reads a press release from NIST about the framework.

Within each function are additional categories, and subcategories underneath those, creating a large treelike structure of guidance and examples of how each goal can be implemented.

One example of the guidance the framework provides concerns third-party cybersecurity risks. Within the "Govern" function, under the category "Cybersecurity Supply Chain Risk Management," there is a subcategory that covers the planning and due diligence an organization must perform to reduce risks before entering into a formal supplier or other third-party relationship.

"Perform thorough due diligence on prospective suppliers that is consistent with procurement planning and commensurate with the level of risk, criticality and complexity of each supplier relationship," reads one of the framework's implementation examples for this subcategory.

BOULDER, CO USA - July 31, 2016: The National Institute of Standards and Technologies and National Telecommunications & Information Administration have co-located research laboratories in Boulder, CO.

The latest draft emphasizes integrating cybersecurity into core governance functions and broadens its scope beyond just critical infrastructure sectors. It also offers guidance on dealing with novel threats, such as newer strains of ransomware.

August 17

While each atomic element of the Cybersecurity Framework offers a tidbit about a policy or practice an organization should implement, the structure of the framework is conceptual, designed to help organizations seeking to tackle cybersecurity in a systematic fashion.

Importantly, NIST has released a repository of quick-start guides that provide direction and guidance to people seeking to implement the wide-ranging framework within their organization. These guides target small businesses, enterprise risk management practitioners and others.

"CSF 2.0, which builds on previous versions, is not just about one document," said Laurie E. Locascio, NIST director and under secretary of commerce for standards and technology. "It is about a suite of resources that can be customized and used individually or in combination over time as an organization's cybersecurity needs change and its capabilities evolve."

NIST emphasized this customizability in its announcement of the release of the framework.

"As users customize the CSF, we hope they will share their examples and successes, because that will allow us to amplify their experiences and help others," said Kevin Stine, chief of NIST's applied cybersecurity division.

One document that will likely be particularly useful to organizations as they apply the framework to their own organizations is NIST's quick-start guide for creating and using organizational profiles. Such a profile describes an organization's current and target cybersecurity posture in terms of concrete outcomes described by CSF 2.0. These profiles provide a custom guide for assessing an organization's progress toward its cybersecurity goals.

For reprint and licensing requests for this article, click here.
Cyber security Technology Regulation and compliance
MORE FROM AMERICAN BANKER