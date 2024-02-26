Other paths lead to NIST's updated cybersecurity framework, which now includes quick-start guides aimed at specific audiences, success stories describing other organizations' implementations, and a searchable catalog of informative references that allows users to cross-reference the framework's tips with over 50 others. cybersecurity documents. Credit: N. Hanacek/NIST

The National Institute of Standards and Technology (NIST) has updated the Cybersecurity Framework (CSF), its landmark guidance document for reducing cybersecurity risks. The new 2.0 edition is designed for all audiences, industry sectors, and organization types, from the smallest schools and nonprofits to the largest agencies and businesses, regardless of their level of cybersecurity sophistication.

In response to the many comments received on the draft, NIST has expanded the CSF's core guidance and developed related resources to help users get the most out of the framework. These resources are designed to provide personalized pathways to the CSF for different audiences and facilitate implementation of the framework.

The CSF has been an essential tool for many organizations, helping them anticipate and address cybersecurity threats, said Laurie E. Locascio, Under Secretary of Commerce for Standards and Technology and Director of NIST. The CSF 2.0, which builds on previous versions, is not just a simple document. It is a suite of resources that can be customized and used individually or in combination over time, as an organization's cybersecurity needs evolve and its capabilities evolve.

The CSF 2.0, which supports the implementation of the National Cybersecurity Strategy, has an expanded scope that extends beyond the protection of critical infrastructure, such as hospitals and power plants, to all organizations across all sectors. It also emphasizes governance, which encompasses how organizations make and execute informed decisions regarding cybersecurity strategy. The governance component of the FSB highlights that cybersecurity is a major source of business risk that senior leaders should consider alongside other sources such as finance and reputation.

Developed in close collaboration with stakeholders and reflecting the latest cybersecurity management challenges and practices, this update aims to make the framework even more relevant to more users in the United States and abroad. foreign, according to Kevin Stine, head of NIST Applied Cybersecurity. Division.

Following an executive order, NIST first published the CSF in 2014 to help organizations understand, reduce, and communicate cybersecurity risks. The core of the framework is now organized around six key functions: identify, protect, detect, respond and recover, as well as the newly added governance function of CSF 2.0. Considered together, these functions provide a complete view of the cybersecurity risk management lifecycle.

The updated framework anticipates that organizations will come to the CSF with varying needs and degrees of experience implementing cybersecurity tools. New users can learn from other users' success stories and select their topic of interest from a new set of implementation examples and quick start guides designed for specific types of users, such as small businesses, enterprise risk managers and organizations looking to secure their supply chains. .

Credit: Natasha Hanacek, NIST

A new CSF 2.0 reference tool now simplifies how organizations can implement the CSF, allowing users to browse, search and export data and details of the CSF core guidelines in human-consumable and machine-readable formats.

In addition, CSF 2.0 offers a searchable catalog informative references that show how their current actions correspond to the CSF. This catalog allows an organization to cross-reference the CSF guidelines with more than 50 other cybersecurity documents, including others from NIST, such as SP 800-53 Rev. 5a catalog of tools (called controls) to achieve specific cybersecurity outcomes.

Organizations can also consult the Reference tool on cybersecurity and privacy (CPRT), which contains an interrelated, searchable, and downloadable set of NIST guidance documents that contextualize these NIST resources, including the CSF, with other popular resources. And CPRT provides ways to communicate these ideas to both technical experts and executives, so that all levels of an organization can stay coordinated.

NIST plans to continue improving its resources and making the CSF an even more useful resource for a broader set of users, Stine said, and feedback from the community will be crucial.

As users personalize the CSF, we hope they will share their examples and success stories, as this will allow us to amplify their experiences and help others, he said. This will help organizations, industries and even entire nations better understand and manage their cybersecurity risks.

The CSF is widely used internationally; Versions 1.1 and 1.0 have been translated into 13 languages, and NIST expects CSF 2.0 to also be translated by volunteers around the world. These translations will be added to NIST's growing portfolio of CSF resources. Over the past 11 years, NIST's collaboration with the International Organization for Standardization (ISO), in conjunction with the International Electrotechnical Commission (IEC), has helped align several cybersecurity documents. ISO/IEC resources now enable organizations to create cybersecurity frameworks and organize controls using CSF functions. NIST plans to continue working with ISO/IEC to further this international alignment.