NIST CSF 2.0 brings new content to broaden its audience and new tools to help ease implementation.
By Jeffrey T. Lemmermann, CPA, CISA, CITP, CEH
In 2013, the National Institute of Standards and Technology (NIST) began development on a program to help private-sector businesses better understand, manage and reduce cybersecurity risk. That effort, geared for organizations that were part of the United States’ critical infrastructure, resulted in the NIST Cybersecurity Framework (CSF). In February of this year, version 2.0 of that framework was released.
The NIST CSF wasn’t the first framework targeting information systems, not even within the NIST itself. NIST SP 800-53 has been around far longer, and it’s designed to help organizations establish security controls for federal information systems. But for small and medium-sized organizations, 800-53 can be intimidating because of its complexity and sheer size. This is where the CSF fits in. The main focus of the CSF now is to help businesses of any size, any sector and any level of complexity manage and reduce risk.
Here is how version 2.0 has been changed to help put the CSF into practice — for all organizations:
The sixth function: Govern
There were five functions prior to the update representing the key pillars that make up a complete cybersecurity program. All functions relate to each other, and each function has specific categories and subcategories that describe the specific controls or actions to implement.
The sixth function, Govern, addresses the need to establish and maintain processes that support the overall information security program’s development and enforce its requirements. Notice in the charts how NIST depicts this function as a ring inside the other five. This portrays how all other functions rely on governance for their continued support and development:
Govern (GV) looks at how an organization assesses cybersecurity risk, assigns roles, provides oversight and develops cybersecurity related policy. It is divided into the following six categories, each of which has a variety of subcategories:
- Organizational Context (GV.OC):Five subcategories addressing risk management.
- Risk Management Strategy (GV.RM):Seven subcategories measuring how risk is measured and applied to decisions made by the organization.
- Roles, Responsibilities, and Authorities (GV.RR): Four subcategories addressing what positions are implementing and enforcing various controls
- Policy (GV.PO): Two subcategories about how policy is established, communicated, and enforced.
- Oversight (GV.OV): Three subcategories addressing how the risk management strategy is updated and adjusted.
- Cybersecurity Supply Chain Risk Management (GV.SC): Ten subcategories on risk management in the cybersecurity supply chain.
Controls are identified under their functions and categories. For example, the subcategory “Cybersecurity is included in human resources practices” is the fourth item under Roles, Responsibilities and Authorities. It would have the designation GV.RR-04. In total, there are 31 new controls to consider as part of the Govern function.
New tools
Reference tool
One very useful tool that doesn’t look like much at first glance is the NIST CSF 2.0 Reference Tool, located online at https://csrc.nist.gov/Projects/cybersecurity-framework/Filters#/csf/filters.
In prior versions, NIST provided a spreadsheet version of the entire framework. With this new tool, you can modify the framework before exporting a spreadsheet version. For example, if you want to cross-reference the controls with the Center for Internet Security’s guidance or just want CSF items that apply to a specific NIST family, both can be accomplished with this tool.
Whether you are an auditor looking for an audit program or an implementor of the framework controls, this tool puts the framework at your fingertips.
Quick-start guides
There are a number of guides that can help organizations adopt or improve their adoption of the framework. One of the most useful for organizations that have not yet adopted a framework (or are just beginning the process) is the Small Business Quick-Start Guide. This guide helps organizations move from having unorganized policies and procedures to developing cybersecurity efforts that will support the formal adoption of the NIST CSF 2.0. This guide can assist organizations of any size as an onramp to the NIST CSF. It can be accessed directly at https://doi.org/10.6028/NIST.SP.1300.
Community profiles and implementation examples
If you are looking for examples of how other organizations are utilizing the CSF, NIST provides two great resources:
Community profiles: These profiles detail how the CSF is utilized by multiple organizations in a community. The NIST National Cybersecurity Center of Excellence has worked with communities to develop community profiles for a variety of use cases. The goal is to help organizations understand how their peers are leveraging the framework. These profiles are available for versions 1.0, 1.1 and 2.0 of the CSF and can be viewed at https://www.nccoe.nist.gov/examples-community-profiles.
Developing your own organizational profile will help define the current state and the ultimate target state of your cybersecurity posture. In a profile, you can define, tailor, assess, prioritize, and communicate outcomes by considering an organization’s mission objectives, stakeholder expectations, threat landscape and requirements. This will allow you to prioritize actions and better utilize resources. Guidance for developing this profile is available at https://doi.org/10.6028/NIST.SP.1301.
Implementation examples: If you are looking for more detail than the profiles offer, these examples can give more of a step-by-step look at how other organizations have implemented the CSF. Many organizations with different needs, different sizes and different goals use the framework. These examples can help organizations find a similar use case, and they provide the early adoption steps that can help overcome the initial hurdle in adopting a framework.
Continuing support
This update to the CSF represents a major milestone in NIST’s support of the framework. After its initial publication in 2014, the CSF was updated in 2018 to version 1.1; version 2.0 makes the framework much more adoptable to organizations of many sizes and technical complexity. More importantly, it signals the importance of the framework to NIST and indicates that the tools developed to assist in implementing the CSF will continue to improve.
Ultimately, the CSF framework should be viewed as a flexible resource that can help organizations enhance their overall cybersecurity maturity. Version 2.0 adds depth and, more importantly, tools that can help organizations in their mission to better protect their information assets.
Jeffrey T. Lemmermann is an information assurance auditor and consultant for SynerComm and is the Wisconsin Champion for the Certified Information Technology Professional program. Connect with him on LinkedIn at: https://www.linkedin.com/in/jefflemmermann/