Examining NIST Cybersecurity Framework 2.0 and Its Value for Organizations

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CFS) 2.0 was launched in late February of this year with the first significant revisions to its decade old initial framework. It is difficult to overstate the importance of sharing and re-sharing practices and standards that can help keep organizations and individuals alike safe from threat actors seeking to access and steal sensitive information. This article will provide an overview of the basic, fundamental principles of the NIST CFS and offer some insight into the value of the program’s revisions for businesses.

What are the fundamental principles of NIST CFS 2.0?

The NIST CFS is built around six core functions, which are designed to provide a high-level, strategic view of an organization's management of cybersecurity risk.

1. Govern: This core component, which was the only one not part of the initial NIST CFS release, is focused on understanding the specific organization and its needs for cybersecurity improvements. According to the NIST glossary of terms, data governance refers to “a set of processes that ensures that data assets are formally managed throughout the enterprise. A data governance model establishes authority and management and decision-making parameters related to the data produced or managed by the enterprise.”

Within this component, there is primary attention paid to general risk management and a deep organizational understanding of the “roles, responsibilities, and authorities” involved in any facet of the cyber program. A particular focus is on the organization’s “policy, oversight, and inclusion [as it relates to] the supply chain”.

2. Identify: This facet focuses on developing an organizational understanding to manage cybersecurity risk to systems, assets, data, and internal capabilities, which can extend to personnel. Related guidance includes extending a focus to asset management, optimizing cyber awareness in the business environment, and developing a risk management strategy.

3. Protect: This function involves implementing appropriate safeguards to ensure the successful delivery of business-critical services. Protect includes considerations for access control—both to physical and digital systems—awareness and training, data security, and protections for information processes and procedures.

4. Detect: The fourth component of the CFS is about an organization developing and implementing the appropriate activities to identify the occurrence of a cybersecurity event. In other words, understanding how to increase visibility across its systems to better identify anomalies or suspicious activity and implement continuous security monitoring and detection processes.

5. Respond: This element contains information about how organizations can act following a detected cybersecurity incident. Effective Response requires organizations to develop a playbook that includes incident response planning, active incident communications, analysis, mitigation, and continuous improvements.

6. Recover: This element is about maintaining plans for ongoing cyber resilience and restoring any capabilities or services that were impaired following a cybersecurity event. In some ways, the Recover component is related to Response in terms of recovery planning, process improvements, and active and post-incident communications.

The goal of the NIST CSF is to address critical infrastructure resulting in a framework that is flexible to be used across all industries. This lends itself to being applicable for organizations of varying sizes as well. Integrating these principles into an organization's overall risk management processes and promoting a culture of shared responsibility for cybersecurity can provide a broader and more efficacious program. There are no one-size fits all blanket programs, which means the provided guidance might come across as vague.

Ultimately, for an organization to have the most robust, effective, and integrative cybersecurity posture, it would require a comprehensive audit of policies, procedures, roles, responsibilities, controls, and other aspects performed by an experienced, and likely outside and objective, vendor to identify more precisely any gaps or vulnerabilities in the current program. From there a more robust program can be established, with considerations for scalability and flexibility encouraged by the NIST framework.

What was Updated for NIST 2.0? 

The language and guidance within release 2.0 is more focused on ensuring cybersecurity programs are tailored to organizational needs and current infrastructure as opposed to trying to establish—or create the appearance of— a copy and paste system. The past 10 years of technological improvements, including artificial intelligence, and the increased sophistication of threat actors, have provided enough evidence of the need for highly individualized response to increasingly targeted attacks.

As such, the updated Framework includes clearer guidance on the need to and importance of establishing opportunities for enhanced integrations. Given the sheer impossibility of having organizations develop, implement, and manage every component of their specific cybersecurity program, there is a tremendous need to work cooperatively and establish complementary software and other related resources. The purpose of this flexibility, per the NIST release is so “an organization may choose to handle risk in one or more ways — including mitigating, transferring, avoiding, or accepting negative risks and realizing, sharing, enhancing, or accepting positive risks — depending on the potential impacts and likelihoods.” NIST has adapted its guidance to more closely reflect today’s threat and technological landscapes. How specifically an organization integrates with other services or solutions is still up to that organization.

Since its release in 2014, the world has become exponentially more digitally interconnected with most organizations having migrated much of their data and operational resources to the cloud. Additionally, more organizations are now integrated with the global supply chain—either directly or through a third-party vendor—which means access to sensitive data has never been more available to those with the necessary credentials. Given both the sensitivity and criticality of the global supply chain, NIST has included a renewed focus on security functions for the supply chain and data privacy in general.

Furthermore, NIST has acknowledged that cybersecurity is not a static state. Organizations that do not consistently assess and identify vulnerabilities within their cyber program are opening the door to threat actors who have shown no indication of slowing down their cadence of attacks.

What is the “Value” of using the NIST Framework for Organizational Guidance?

In a sense, the value of the Framework stems from its adaptable nature: because every organization is unique in its structure, security staff, software configuration, and personnel knowledge, the best cyber program is custom to this environment. Michelle "Nikki" Ingram , AVP and Head of Cyber Advisory Services SpearTip / Zurich Resilience Solutions articulates the value of NIST 2.0 for all organizations concerned about their cyber resilience. She notes that the “NIST CSF gives an organization a framework on which to develop a cyber security risk management program and the flexibility to adapt it to their unique needs, all of which supports demonstrating their due diligence and adapting to an ever-evolving threat landscape.” The Framework is valuable because it captures categories that, when developing such a program, need to be considered for security enhancements. The U.S. Federal Government has increasingly emphasized the importance of cybersecurity, and NIST’s 2.0 CFS is a key part of those efforts.

Practically speaking, while NIST standards are voluntary, the U.S. Federal Government often requires businesses to follow these guidelines if they want to do business with it, especially for contracts involving sensitive information or critical infrastructure. For example, the United States Department of Defense (DoD) has implemented the Cybersecurity Maturity Model Certification (CMMC) program, which requires defense contractors to be certified against a set of cybersecurity practices and processes based on NIST standards. However, the specifics can vary depending on the agency and the nature of the work. Not all agencies may require strict compliance with NIST CFS, but demonstrating a robust commitment to cybersecurity can only be beneficial when seeking to do business, whether it be with one individual or a department of the federal government.

**

Anyone looking for a handbook detailing step-by-step how to precisely implement a robust, effective, or financially feasible cybersecurity program may be disappointed. While the NIST 2.0 CFS is not that, what it is provides any organization seeking to improve its current posture an excellent framework against which to assess and measure it. To achieve cyber maturity, an organization should consult with an experienced team of cybersecurity professionals to build the best possible program based on the specific needs of that organization.

In the United States, Zurich Resilience Solutions managed security services are provided by SpearTip, LLC.

Copyright © 2024 SpearTip, LLC