The NIST Cybersecurity Framework (CSF) is a set of guidelines published by the U.S. National Institute of Standards and Technology for mitigating organizational cybersecurity risks. Experience has shown that defensive techniques and best practices must adapt as the threat landscape changes to ensure we tip the technological race with cybercriminal adversaries in our favor.
What is the NIST CSF?
We published an overview article in June 2022 outlining the purpose and components of the CSF as they were then. You can read that article in our resources library. To summarize: the goal of CSF is to help organizations better understand, manage, and reduce their cyber risk while protecting their networks and data.
The recently released White House Cybersecurity Strategy calls for organizations across America to align themselves with the NIST CSF to help better defend against the burgeoning attacks from bad actors and state-based groups. To bolster these defenses, NIST has been in a broad consultation about an update to the CSF. We wrote about the draft CSF 2.0 in May of this year.
NIST is updating CSF in response to the threat landscape evolving and due to experience highlighting potential gaps in the existing framework. The need for updated guidance and frameworks has been apparent for some time. Since our article about the draft release, consultation has been ongoing, and the team in Critical Insight has been participating in that and also creating resources and tools to help public and private sector businesses and organizations adopt the advice in CSF 2.0 to strengthen their cybersecurity posture.
What's new in CSF 2.0?
As discussed in the previous articles, CSF contains functional groupings with categories to subdivide them further. The categories also have more granular components, but we’ll stay at a high level for this article. There are six function groups in CSF 2.0, with the Govern Function being a new addition. The infographic in Diagram 1 shows the six functions and their categories.
Diagram 1: NIST CSF 2.0 Framework Functions and Categories
In addition to the new Govern Function added to CSF, NIST has made the following changes.
In the Identify Function, there is a new Continuous Improvement category.
They added a new Supply Chain Risk Management category to the Identity Function.
In the Protect Function, there is a new focus on leveraging the combination of people, processes, and technology to secure assets.
The Protect Function also has a new Technology Infrastructure Resilience category.
In the Respond and Recover Functions, there are new categories aimed at cybersecurity incident response management, including the importance of incident forensics.
The updated CSF 2.0 is still on track for a summer 2023 release. All critical infrastructure providers, such as government, healthcare, and other organizations operating in any sector designated as critical, will have to align with the new NIST CSF 2.0. You’ll want to make sure your team is ready to embrace these changes to meet regulatory and compliance standards.
Critical Insight Resources to Help You Adopt CSF 2.0
Helping organizations that are critical to the continued operation of essential services at local, State, and Federal levels defend themselves from cyberattacks is the reason why Critical Insight exists. The need for this defense has continued to increase over the last few years and shows no signs of abating. The roll-out and widespread adoption of the best practices and advice in CSF 2.0 will be vital to ensuring we can, as a country, defend against the attackers out to disrupt or destroy our infrastructure and commerce channels.
The team at Critical Insight has decades of experience in protecting infrastructure from cyberattacks. This experience spans both public and private sectors and encompasses all sectors of the economy.