NIST Cybersecurity Framework 2.0: 4 Steps to Get Started

20 March 2024

The National Institute of Standards and Technology (NIST) has revised the book on creating a comprehensive cybersecurity program that aims to help organizations of every size be more secure. Here's where to start putting the changes into action.

The US National Institute of Standards and Technology (NIST) has released the latest draft of its well-regarded Cybersecurity Framework (CSF) this week, leaving companies to mull how a few significant changes to the document affects their cybersecurity programs.

Between the new "Govern" function to incorporate greater executive and board oversight of cybersecurity, and the expansion of the best practices beyond just those for critical industries, cybersecurity teams will have their work cut out for them, says researcher.

"In many cases, this will mean that organizations have to take a hard look at existing assessments, identified gaps, and remediation activities to determine the impact of the framework changes," researcher says, adding that "new program gaps will emerge that previously may not have been present, especially with respect to cybersecurity governance and supply chain risk management."

The original CSF, last updated 10 years ago, aimed to provide cybersecurity guidance to industries critical to national and economic security. The latest version greatly expands that vision to create a framework for any organization intending to improve its cybersecurity maturity and posture. In addition, third-party partners and suppliers are now a significant factor to consider in the CSF 2.0.

Organizations need to look at cybersecurity more systematically to comply with regulations and implement the best practices from the document, researcher said in a statement.

"Making this guidance actionable will need to be a self-propelled effort from businesses," researcher said. "Guidance is just guidance, until it becomes law. The top-performing organizations will take it upon themselves to move toward a more business-centric approach to cyber-risk."

Here are four tips for operationalization of the latest version of the NIST Cybersecurity Framework.

1. Use All the NIST Resources

The NIST CSF is not just a document but a collection of resources that companies can use to apply the framework to their specific environment and requirements. Organizational and community profiles, for example, provide the foundation for companies to assess — or reassess — their cybersecurity requirements, assets, and controls. To make the process easier to start, NIST has also published QuickStart guides for specific industry segments, such as small business, and for specific functions, such as cybersecurity supply chain risk management (C-SCRM). 

The NIST resources can help teams understand the changes, says researcher.

"These can be highly valuable tools that can help companies of all sizes but are especially useful for smaller organizations," he says, adding that teams should "ensure your senior leadership team — and even your board of directors — understand how this will benefit the program [but] could create some maturity scoring [or] benchmarking inconsistencies in the short term."

2. Discuss Impact of "Govern" Function With Leadership

The NIST CSF 2.0 adds an entirely new core function: Govern. The new function is a recognition that the overall organizational approach to cybersecurity needs to match the strategy of the business, measured by operations, and managed by security executives, including the board of directors.

Security teams should look to asset discovery and identity management to provide visibility into the critical components of a company's business and how workers and workloads interact with those assets. Because of that, the Govern function relies heavily on other aspects of the CSF — in particular, the "Identify" function. And several components, such as "Business Environment" and "Risk Management Strategy," will be moved from Identity to Govern, says researcher.

"This new function supports evolving regulatory requirements, such as the SEC [data-breach disclosure] rules, which took effect in December 2023, is likely a nod to the potential for additional regulatory actions to come," researcher says. "And it highlights the fiduciary role that leadership plays in the cybersecurity risk management process."

3. Consider Your Supply Chain Security

Supply chain risk gains more prominence in the CSF 2.0. Organizations can typically accept risk, avoid it, attempt to mitigate risk, share the risk, or transfer the issue to another organization. Modern manufacturers, for example, typically transfer cyber-risk to their buyers, which means that an outage caused by a cyberattack on a supplier can affect your company as well, says researcher.

Security teams should create a system to evaluate suppliers cybersecurity posture, identify potentially exploitable weaknesses, and verify that the supplier's risk is not being transferred to their buyers, said researcher.

"Because vendor security is now expressly highlighted, many vendors may market themselves as having conforming practices, but companies will do well to scrutinize and pressure-test these representations," researcher says. "Seeking additional audit reporting and policies around these cybersecurity representations may become part of this evolving market."

4. Confirm Your Vendors Support CSF 2.0

Consulting services and cybersecurity posture management products, among others, will likely need to be re-evaluated and updated to support the latest CSF. Traditional governance, risk, and compliance (GRC) tools, for example, should be re-examined in light of the increased emphasis placed by NIST on the Govern function, says researcher.

Moreover, the CSF 2.0 puts additional pressure on supply chain management product and services to better identify and control their third-party risks, researcher says.

Researcher adds: "It is likely that existing tools and methods will see opportunities in the framework updates to improve their products and service offerings to better align to the expanded practice set."

Related News

A review of zero-day in-the-wild exploits in 2023

28 Mar 2024

In 2023, Google observed 97 zero-day vulnerabilities exploited in-the-wild. That’s over 50 percent more than in 2022, but still shy of 2021’s record of 106. Today, Google published its fifth annual review of zero-days exploited in-the-wild.

Read More

Vulnerability In 16.5K+ VMware ESXi Instances Let Attackers Execute Code

25 Mar 2024

VMware has acknowledged the presence of several vulnerabilities in its products after they were privately reported.The company has released updates to address these issues in the affected software. While each vulnerability is rated as ‘Important,’ their combined potential impact escalates to ‘Critical’ severity. Shadowserver has tweeted a warning about vulnerabilities in VMware ESXi instances. These vulnerabilities can enable a malicious actor with local admin privileges to bypass sandbox protections. Shadowserver is conducting scans and sharing its findings to help mitigate the risks associated with these vulnerabilities.

Read More

Proactive Ransomware Mitigation

15 Mar 2024

A ransomware attack has a direct impact on a business’s bottom line. Ransomware payments nearly doubled from 2022 to 2023 to $1.5 million14, and the average total cost of a data breach disclosed by the attacker has risen to $5.2 million15.

Read More