The federal agency in charge of maintaining technology standards has finalized the second version of its cybersecurity framework, a major update that is likely to lead more organizations to implement governance structures that prioritize cybersecurity in everyday operations across their organization.
The National Institute of Standards and Technology, or NIST, released the newest version of its Cybersecurity Framework, or CSF, on Monday, finalizing
Compared to version 1.0 of the framework, released in 2014, the second version adds an emphasis on governance. The aim of this pillar is to ensure that an organization's "cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored."
The five other pillars of the CSF are identify, protect, detect, respond and recover.
"When considered together, these functions provide a comprehensive view of the life cycle for managing cybersecurity risk," reads
Within each function are additional categories, and subcategories underneath those, creating a large treelike structure of guidance and examples of how each goal can be implemented.
One example of the guidance the framework provides concerns third-party cybersecurity risks. Within the "Govern" function, under the category "Cybersecurity Supply Chain Risk Management," there is a subcategory that covers the planning and due diligence an organization must perform to reduce risks before entering into a formal supplier or other third-party relationship.
"Perform thorough due diligence on prospective suppliers that is consistent with procurement planning and commensurate with the level of risk, criticality and complexity of each supplier relationship," reads one of the framework's implementation examples for this subcategory.
The latest draft emphasizes integrating cybersecurity into core governance functions and broadens its scope beyond just critical infrastructure sectors. It also offers guidance on dealing with novel threats, such as newer strains of ransomware.
While each atomic element of the Cybersecurity Framework offers a tidbit about a policy or practice an organization should implement, the structure of the framework is conceptual, designed to help organizations seeking to tackle cybersecurity in a systematic fashion.
Importantly, NIST has released
"CSF 2.0, which builds on previous versions, is not just about one document," said Laurie E. Locascio, NIST director and under secretary of commerce for standards and technology. "It is about a suite of resources that can be customized and used individually or in combination over time as an organization's cybersecurity needs change and its capabilities evolve."
NIST emphasized this customizability in its announcement of the release of the framework.
"As users customize the CSF, we hope they will share their examples and successes, because that will allow us to amplify their experiences and help others," said Kevin Stine, chief of NIST's applied cybersecurity division.
One document that will likely be particularly useful to organizations as they apply the framework to their own organizations is