Getting started with the NIST cybersecurity framework

The National Institute of Standards and Technology (NIST) has updated the manual for developing an all-inclusive cybersecurity program to assist businesses of all sizes become more secure. This is where you should begin implementing the changes.

NIST Cybersecurity Framework (CSF) 2.0

NIST updated their popular Cybersecurity Framework (CSF), a guidance document for reducing cybersecurity risk. The new 2.0 edition is designed for all audiences, industry sectors, and organization types, regardless of their level of cybersecurity competence. 

For many businesses, the CSF has become an essential tool for anticipating and addressing cybersecurity threats.

“CSF 2.0, which builds on previous versions, is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve,” said Laurie E. Locascio, Under Secretary of Commerce for Standards and Technology and NIST Director.

CSF 2.0 introduces a new function, "Govern," emphasizing the importance of governance in cybersecurity risk management. This addition stresses executive leadership's and organizational culture's significance in cybersecurity initiatives. The Framework also addresses supply chain risks, increasing the interconnectedness of organizations and the growing prevalence of supply chain attacks. The framework helps organizations strengthen their resilience against such threats by including guidance on supply chain risk management.

In the news: NIST unveils comprehensive update to its cybersecurity framework

Related: What is a supply chain attack and how can it be prevented?

Getting started with CSF 2.0

• Use all the NIST resources: CSF is a collection of resources that companies can apply to their specific environment and requirements. NIST has also created QuickStart instructions for particular sector segments, such as small businesses, and for particular roles, like cybersecurity supply chain risk management. 
• Discuss the impact of the "Govern" function with leadership: The NIST CSF 2.0 adds a new core function: Govern. The new function is a recognition that the overall organizational approach to cybersecurity needs to match the strategy of the business, measured by operations, and managed by security executives, including the board of directors.
• Consider the organization’s supply chain security: Supply chain risk gains more prominence in CSF 2.0. Security teams must create a system to assess the cybersecurity posture of suppliers, identify vulnerabilities that could be exploited, and confirm that the supplier's risk isn't being passed on to them.
• Confirm that your vendors support CSF 2.0: To support the most recent CSF, it will probably be necessary to examine and update a number of products, including cybersecurity posture management tools and consulting services. CSF 2.0 puts additional pressure on supply chain management products and services to better identify and control their third-party risks.

See also:

• What is risk management in relation to healthcare?
• Tips for choosing the right HIPAA consulting partner
• HIPAA Compliant Email: The Definitive Guide 

FAQs

How does the NIST CSF 2.0 differ from the previous version?

The NIST CSF 2.0 incorporates updates and refinements based on feedback from stakeholders and emerging cybersecurity challenges. It builds upon the original framework released in 2014, emphasizing risk management, collaboration, and continuous improvement.

Related: What does HITRUST CSF certification mean?

How can organizations get started with implementing the NIST CSF 2.0?

Organizations can begin by familiarizing themselves with the framework, assessing their current cybersecurity posture, aligning their practices with the core functions, and leveraging the available resources and tools provided by NIST.

Is compliance with the NIST CSF 2.0 mandatory?

Compliance with the framework is voluntary. However, it is widely recognized and adopted as a best practice for improving cybersecurity risk management.