By Pedro Martinez CISSP CBSP, CIO & Chief Information Officer of Zenus Bank
As the digital era forges ahead, laced with innovations but fraught with cyber threats, one document stands as a beacon guiding organizations through the labyrinth of cybersecurity. Yes, I am talking about the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework. Since its inception almost a decade ago, the framework has undergone revisions, but none as impactful as the recent Draft 2.0. As cybersecurity professionals at all levels of their careers, let’s dissect what this new draft entails and how it augments the broader cybersecurity landscape.
What Are the Significant Changes?
The NIST Cybersecurity Framework has been a touchstone for cybersecurity professionals for nearly a decade. Its evolution into version 2.0 introduces several significant changes that reflect not only the state of modern cybersecurity but also the demands of a more complex enterprise environment.
The Introduction of the ‘Govern’ Function
Arguably the most striking update is the introduction of a new core function: ‘Govern’. Previously, the framework concentrated on five key functionalities—Identify, Protect, Detect, Respond, and Recover. However, the ‘Govern’ pillar introduces a more comprehensive and organized approach towards cybersecurity. It addresses a much-needed gap in determining roles, responsibilities, and authorities within organizational structures, particularly in areas like risk management and the supply chain.
Expansion Beyond Critical Infrastructure
The original framework was intended primarily for sectors deemed as critical infrastructure, such as energy, banking, and healthcare. Version 2.0, however, is designed to be applicable to organizations of all sizes and types. This is a recognition that in today’s interconnected world, no organization is an island; we are all part of an intricate web of digital interactions that require universally applicable security standards.
Improved Guidelines on Risk Management
The framework now comes with enhanced guidelines on risk management, putting a heavy emphasis on cybersecurity as a form of enterprise risk. This aligns cybersecurity more closely with other forms of enterprise risks, such as financial and legal, thereby elevating its priority in boardroom discussions.
Cross-Linking to Other NIST Publications
Another significant change is the intentional cross-linking to other relevant NIST publications, like the NIST Privacy Framework, the Secure Software Development Framework (SP 800-218), and NIST IR 8286. This creates a more integrated view of NIST’s broader resources, helping organizations build a more comprehensive cybersecurity and privacy posture.
Additional Guidance on Implementation
The new framework offers more granular guidance on how to implement its recommendations through ‘profiles’ that cover specific sectors and use-cases. This addresses previous criticisms that the NIST framework lacked specific guidance on implementing controls, providing now a more tailored approach to different industries.
Increased Emphasis on Supply Chain Security
The global supply chain has emerged as a vulnerable target for cyberattacks, and version 2.0 makes it clear that securing the supply chain is a key component of an organization’s overall cybersecurity strategy.
The Intersection with Compliance, Audit, and Insurance
The updated framework aligns more closely with the needs of organizations to meet compliance, audit, and cyber insurance requirements. This comes at a time when regulatory pressures are escalating and will likely continue to do so in the foreseeable future.
Recommended Best Practices
Governance First
The ‘Govern’ pillar necessitates that governance is not an afterthought but an integral part of cybersecurity planning. It ensures that cybersecurity activities are aligned with enterprise risks and legal requirements.
Multi-Faceted Risk Assessments
Considering the expanded scope, a multi-faceted risk assessment incorporating legal, financial, and cybersecurity elements is now crucial. Compliance, audit, and insurance are no longer separate islands but continents on the same planet.
Utilizing Profiles for Implementation
The CSF 2.0 offers profiles covering specific sectors and use cases. Businesses are advised to use these as foundational building blocks for tailoring their cybersecurity protocols.
What Are the Next Steps NIST Will Take?
NIST’s iterative and inclusive approach toward refining its Cybersecurity Framework has always been one of its shining aspects. This is even more prominent in this update cycle, as NIST has been open to community involvement by inviting public comments until November 4, 2023. So, what can we anticipate following this deadline?
Incorporation of Public Feedback
One of the key next steps will be to sift through the myriad of comments and feedback they receive. Given the Framework’s importance in shaping cybersecurity policies across various sectors, expect a diverse range of perspectives from the community, including those from industry veterans, academic researchers, and even cybersecurity enthusiasts. This collective intelligence will likely be a cornerstone in enriching the final version of the framework.
Redrafting and Peer Review
After considering public feedback, NIST will go back to the drawing board to redraft the framework. It’s crucial to note that the draft is a living document, expected to undergo multiple internal reviews by expert panels and perhaps even independent cybersecurity organizations. These further scrutinies provide an additional layer of reliability, ensuring that the framework is not just a theoretical exercise but a practicable guide.
Final Publication and Rollout
Once redrafting and peer reviews are complete, NIST will officially publish the finalized
Cybersecurity Framework 2.0. This is not merely a formality but a significant milestone that will set the wheels in motion for widespread implementation. The Framework will not just reside in policy documents; it will serve as a foundational blueprint for organizations to evaluate, modify, and enhance their cybersecurity postures.
Training and Seminars
Post-release, it’s highly likely that NIST will engage in educational initiatives, webinars, and seminars to spread awareness and knowledge about the new framework. These programs could range from detailed explanations of each core function to how-to guides on the framework’s application across diverse sectors.
Periodic Updates and Revision Cycles
Given the ever-evolving landscape of cybersecurity, rest assured that the 2.0 version won’t be the final stop. NIST is likely to announce periodic updates and perhaps even a new revision cycle, aiming to keep the framework continually aligned with the realities of the modern cyber world.
As cybersecurity professionals, it would be wise for us to not just await these developments but to actively participate in them. This could be by contributing to the public commentary, attending to the post-release educational initiatives, or adopting the new framework into our organizational structures as early adopters, leading the charge in best practices.
Conclusion
The NIST Cybersecurity Framework 2.0 Draft is a seminal update in the annals of cybersecurity frameworks. It’s a lucid recognition that in today’s volatile cyber world, a static guide is a dated guide. By including the ‘Govern’ function and expanding its scope, NIST is steering the cybersecurity ship in a direction that’s not only modern but also inclusive.
So, as we await the framework’s final release, let’s not just be passive spectators. Engage with the draft, provide your feedback, and let’s collaboratively sculpt the future of cybersecurity.
Disclosure Statement:
The views and opinions expressed in this article are those of the author. Unless noted otherwise in this post, Zenus Bank or any other organization are not affiliated with, nor is it endorsed by, any of the companies mentioned. All trademarks and other intellectual property used or displayed are the ownership of their respective owners.
This article is intended for informational purposes only and does not constitute legal advice. Consult your own counsel for advice relating to your individual circumstances.
