The NIST Cybersecurity Framework 2.0 (CSF) is entering its final stages before implementation in 2024. After the public discussion period to inform decisions on the framework concluded in May, it is time to learn more about it. what to expect from the changes to the guidelines.
The updated CSF is aligned with the Biden administration’s national cybersecurity strategy, according to Cherilyn Pascoe, senior technology policy advisor at NIST, at the RSA 2023 conference. This sets up the new CSF to develop cybersecurity strategies. risk management.
When used as a risk management resource, the CSF can be applied in the context of National Cybersecurity Strategy five pillars, Pascoe said. These pillars are:
- Defend critical infrastructure
- Disrupt and dismantle threat actors
- Shaping market forces to drive security and resilience
- Invest in a resilient future
- Forge international partnerships to pursue common goals.
One of the main objectives of the CSF is to enable organizations to build their cybersecurity strategy by identifying risks and improving the risk management process. The updated framework will focus on improving risk management – crucial in the modern cybersecurity landscape.
The original CSF has five functions: identify, protect, detect, respond and recover. CSF 2.0 will add a sixth function: governing.
This feature reinforces the importance that cybersecurity risk management plays in business and compliance outcomes. The governance function will focus on policies and procedures and the roles and responsibilities of the security team. The desired outcome is for organizations to assess and prioritize risks based on policies, then define team member responsibilities to address potential threats.
The governance function includes a section focused primarily on risk management. While in previous versions of the FSB risk management was covered by a different function (identify), it is now covered more fully by the govern function with its own subcategory. THE preliminary discussion version of CSF 2.0 lists the following guidelines:
- GV.RM-01: Cybersecurity risk management objectives are established and agreed to by the organization’s stakeholders.
- GV.RM-02: The cybersecurity supply chain risk management strategy is established, agreed to by organizational stakeholders, and managed.
- GV.RM-03: Risk appetite and tolerance statements are determined and communicated based on the organization’s business environment.
- GV.RM-04: Cybersecurity risk management is considered a part of enterprise risk management.
- GV.RM-05: A strategic direction outlining appropriate risk response options, including cybersecurity risk transfer mechanisms (e.g. insurance, outsourcing), investments in risk mitigation and acceptance, is established and communicated.
- GV.RM-06: Responsibility and accountability are determined and communicated to ensure that the risk management strategy and program are resourced, implemented, evaluated and maintained.
- GV.RM-07: The risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks.
- GV.RM-08: Effectiveness and adequacy of the cybersecurity risk management strategy and
the results are evaluated and reviewed by the organization’s leaders.
GV.RM-05 through 08 are new additions to CSF 2.0, created for this new feature.
Well-defined leadership roles go hand in hand with the governance function. In its section on roles and responsibilities, the GV.RR-01 standard states: “Organizational leadership takes responsibility for decisions associated with cybersecurity risks and establishes a culture that is aware of risks, behaves ethically and promotes improvement keep on going. »
The supply chain and its security risks have been a hot topic for some time. A few years ago, NIST added guidelines to the CSF regarding supply chain security. In CSF 2.0, the guidelines will be expanded to cover supply chain risk management. This follows other government initiatives to strengthen supply chain security. Although the FSB has not proposed specific metrics for supply chain risk management, different scenarios will likely provide examples of risks and functions designed to address threats.
Risk management levels
These likely changes and updates to the CSF will improve the four levels of implementation of the frameworkwhich NIST defines as “a lens through which to view the characteristics of an organization’s approach to risk – how an organization perceives cybersecurity risk and the processes in place to manage that risk.”
The tiers cover four different levels of an organization’s risk management program: partial, risk-informed, repeatable, and adaptive. The tiers measure how well the organization integrates its decisions about cybersecurity risks into overall business risks. Implementation of the framework also examines how the company shares risk information with third parties.
Organizations manage their risk management journey themselves. They determine the level that best aligns with current levels of risk governance that meet business objectives. However, these levels are not just a definition of cybersecurity maturity. Rather, they allow the company to have a broader view of its overall cybersecurity risk tolerance. As the organization follows the framework, it can establish a risk profile and develop a target profile to achieve.
How will CSF 2.0 continue to evolve?
The updated CSF 2.0 places greater emphasis on risk management. With its focus on supply chain risk and security, it also follows guidelines published by other sectors of the federal government. On the surface, it appears there is finally cohesion in the U.S. approach to cybersecurity, particularly in creating a niche for cybersecurity risk management within government agencies and private industries.
This is not to say that CSF 2.0 is perfect. Some risk areas still require special attention, such as remote work governance. Risk management standards are not designed to accommodate fully remote or hybrid workforces.
And just as CSF 2.0 has recognized that supply chain security adds higher levels of risk to organizations, it must step up its efforts to address growing threats from artificial intelligence, particularly from Generative AI. Generative AI exploded onto the scene while the CSF 2.0 process was well underway; now it’s impossible to ignore.
It may be too late to provide clear guidance on the potential risks of AI and propose a safety framework, but it cannot be left aside for too long. The potential threat is imminent and organizations will soon be looking for guidelines on how to manage the risks introduced by this new technology.