Introduction
The Cyber Security Framework (CSF) of the National Institute of Standards and Technology (NIST) has been indispensable in helping organizations across North America implement mature and effective cybersecurity practices. Since 2022, NIST has embarked on significant enhancements to the framework, with the final release of NIST CSF 2.0 scheduled for early 2024.
This article will examine the transformative journey of CSF 1.1 to the forthcoming CSF 2.0, exploring the fundamental changes that organizations must undertake to align with the new framework and improve their cybersecurity practices.
Foundation overview
At its core, the CSF is built around three foundational elements: Core Functions, Implementation Tiers, and Framework Profiles.
Core functions: The original five functions of Identify, Protect, Detect, Respond, and Recover are all included in CSF 2.0. The new framework refines these concepts and introduces the Govern function, which describes how an organization should establish and monitor its expectations of its risk management strategy.
Framework profiles: Profiles represent an organization’s alignment of its business objectives, risk appetite, and resources against the desired outcomes of the Framework Core.
Implementation tiers: Tiers represent varying levels of rigor and the level to which an organization may integrate cybersecurity risk decisions into broader, organizational risk decisions. CSF 2.0 retains the four tiers used in previous versions: Partial implementation, Risk Informed implementation, Repeatable implementation, and Adaptive implementation.
Key changes that will be introduced in CSF 2.0
Introduction of the govern function: The introduction of the Govern function in CSF 2.0 represents a paradigm shift in how controls are implemented using the new CSF. This new function emphasizes the importance of strategic planning, internal decision-making, risk management, and compliance within the CSF. With an emphasis on effective oversight, the Govern function adds a crucial layer to the cybersecurity strategy, elevating the framework beyond technical guidance to encompass comprehensive organizational governance.
Focus on supply chain risk: In the wake of high-profile cyber incidents such as the 2019 SolarWinds breach, CSF 2.0 places greater emphasis on supply chain cybersecurity, sometimes known as third-party risk management. This shift aligns with broader regulatory frameworks like PCI-DSS version 4.0 and the CMMC version 2.0, which will align with the new US defense contractors’ cybersecurity requirements and is reinforced by controls described in special publications such as NIST 800-171 and NIST 800-172. Canada plans to introduce its own cybersecurity certification requirements in late 2024, which will be reciprocal to the US CMMC requirements.
Risk and performance-based cybersecurity: CSF 2.0 guides organizations toward an approach that incorporates risk-based compliance with performance-based benchmarks. This new paradigm calls for organizations to demonstrate modern Governance, Risk, and Compliance (GRC) approaches. The implementation of risk quantification across technological, operational, and enterprise strata signals a departure from conventional compliance-based strategies toward a more dynamic, risk-aware cybersecurity framework.
Expanded guidance on NIST CSF profiles: CSF 2.0 extends guidance through detailed examples and comprehensive step-by-step instructions for creating and utilizing profiles. The inclusion of a profile template in Appendix A of the NIST CSF 2.0 framework provides organizations with a structured framework to align their unique cybersecurity needs with their desired outcomes.
How MOBIA can help
Strategic realignment with analytics: MOBIA excels at leveraging advanced analytics to guide an organization through the complex journey of maturing its cybersecurity practice, quantifying risks and gauging its capabilities for a consistent, data-driven approach. Our service includes a review of your organization’s data lake strategy and implementation.
Quantitative risk management: MOBIA provides organizations with a robust framework for quantitative risk management, enabling informed decisions aligned with long-term cybersecurity objectives. This includes an integrated approach to examining your strategic, operational, and technical risks.
Transition to performance-oriented information security management: MOBIA equips organizations to transition seamlessly from a compliance-centric model to a performance-oriented cybersecurity strategy, fostering continual enhancement. This includes developing comprehensive reporting dashboards at the technical leadership level.
Data access governance mastery: MOBIA’s data governance experts help organizations master the complexities of the Govern function in CSF 2.0, ensuring control over critical data access aligns with governance and compliance. We provide a full review of your data governance program and data life cycle management process.
Continuous improvement paradigm: MOBIA focuses on developing a culture of continuous improvement, aiding organizations in proactively identifying threats, adapting to evolving compliance, and refining cybersecurity strategies over time. This includes a comprehensive annual review of your organization’s cybersecurity strategy.
Strategic planning and decision-making: MOBIA’s support extends beyond the transitional phase. We support an organization’s long-term cybersecurity strategy, ensuring dynamic and adaptive governance. This includes helping organizations build out their governance model and driving key messages to their executives.
Resource optimization: MOBIA helps organizations optimize resources over the long term, aligning cybersecurity efforts with risk and performance metrics. We can assist with cybersecurity planning, helping you prioritize security control implementations to provide a robust, cost-effective risk reduction strategy.
Conclusion
The new NIST CSF 2.0 will be an indispensable cybersecurity tool, providing organizations with an expanded scope, refined core functions, and improved overall guidance. Embracing this new framework is not merely a strategic imperative, it isa clarion call for organizations committed to navigating the complexities of a digital era.
As CSF 2.0 nears finalization, MOBIA stands ready to help organizations adopt the precepts of the new framework to improve their cybersecurity posture and deal with evolving threats. We can also help transition your cybersecurity practice from a compliance-based model to a risk and performance-based approach. This is a more dynamic and responsive strategy that better fosters a culture of continuous improvement and promotes more effective reporting to both technical leadership and upper management.
For more information, contact us at sales@mobia.io.
In partnership with
By
Ashif Samnani, Principal Security Architect