By Chris Roth, Zaviant
Last week, the National Institute of Standards and Technology (NIST) released their revised Cybersecurity Framework CSF 2.0. This being the first major update to the program in 10 years, there have been some major and minor changes that will affect the overall adherence and implementation of this program. With that being said, let’s get into the overall changes and what they mean for organizations using this framework as a whole.
The statistical changes from CSF 1.1 to CSF 2.0 are as follows:
- Overall functions grew from 5 to 6
- The categories list or subset of cybersecurity concepts within the overarching functions dropped from 23 to 22
- Subcategories which are used to identify detailed outcomes more specifically within the categories, have dropped from 108 to 106 overall.
This decrease in categories and subcategories is not a reduction in overall requirements as much as a maturing of the cybersecurity concepts that work together to provide an organization with a more granular approach to deliver a strong multifaceted security posture.
The largest change to the updated framework is the addition of the Govern function. This was upgraded from a category in CSF 1.1 and is a great improvement to the previous iteration. It focuses on the need for communication between technical implementation, procedural documentation, and overall management visibility and buy in into a more active role. With this addition as a function multiple categories were created and pulled from the entire framework to build out what this concept really looks like.
The associated categories are:
- Organizational Context
- Risk Management Strategy
- Roles, Responsibilities, and Authorities; Policy
- Oversight
- Cybersecurity Supply Chain Risk Management.
This last category, Cybersecurity Supply Chain Risk Management, introduces another prominent update to the framework. This concept has been honed and matured within the framework change to spotlight a consistent need for organizations to identify and manage and act upon risks associated with their upstream suppliers. The subcategories in this section are easily digested yet if fully implemented would provide a mature basis for a Cybersecurity Supply Chain Risk Management program.
Apart from these main points the changes to the framework as a whole were administrative, moving, combining or separating out categories that over the last 10 years have matured and changed as overarching concepts within the cybersecurity realm. The introduction of a platform security category that includes subcategories on secure software development, maintenance, configuration management and continuous monitoring. Each of these concepts were covered in the previous version of CSF but in a manner that did not highlight how the processes work together to strengthen an organization’s overall security posture.
Another change along this same line of thought was to create a single improvement category within the Identify function that combined the continuous improvement requirements from nearly all of the functions in the 1.1 framework. This is to highlight the need for continuous improvement across all processes as one of the major signs of maturity withing an organization’s cyber security posture.
Overall CSF 2.0 looks like a great upgrade from its predecessor by increasing the organization wide buy in potential of the Govern function and the multiple administrative updates throughout.