The National Institute of Standards and Technology has updated its Cybersecurity Framework for 2024. Version 2.0 of the NIST CSF, the first major update since the framework was released a decade ago, was created with the goal of expanding the core audience from infrastructure criticism of everyone. organizations. Overall, the NIST CSF aims to standardize practices to ensure uniform protection of all US cyber assets.
TechRepublic's NIST CSF cheat sheet is an overview of this new government-recommended best practice and includes steps to implement the security framework.
What is the NIST Cybersecurity Framework?
The NIST CSF is a set of optional standards, best practices, and recommendations to improve cybersecurity and risk management at the organizational level. The goal of the CSFl is to create a common language, a set of standards, and a set of easily executable objectives to improve cybersecurity and limit cybersecurity risk.
NIST has extensive documentation on the CSF on its website, along with links to frequently asked questions, industry resources, and other information needed to facilitate the business transition to a CSF world.
Is the NIST Cybersecurity Framework for government use only?
The NIST framework is not just for government use: it can be adapted to companies of any size. The CSF affects anyone who makes decisions about cybersecurity and cybersecurity risks in their organizations, and those responsible for implementing new IT policies.
The NIST CSF standards are optional, meaning there is no penalty for organizations that do not wish to follow them. However, this does not mean that the NIST CSF is not an ideal starting point for organizations: it was created with scalability and gradual implementation so that any company can benefit and improve their security practices and prevent a cybersecurity event.
Does the NIST Cybersecurity Framework apply outside of the United States?
Although the NIST CSF is a US government publication, it can be useful to companies internationally. The NIST CSF is aligned with the International Organization for Standardization and the International Electrotechnical Commission. Version 2.0 will likely be translated by community volunteers in the future, NIST said. The cybersecurity outcomes described in the CSF are “sector, country, and technology neutral,” NIST wrote in Version 2.0.
SEE: All TechRepublic cheat sheets
Why was the NIST framework created?
The world of cybersecurity is fragmented, despite its increasing importance to daily business operations. Organizations don't share information, IT professionals and C-level executives skirt their own policies, and organizations speak their own cybersecurity languages. NIST's goal with the creation of the CSF is to help eliminate the chaotic cybersecurity landscape we find ourselves in.
When was the NIST Cybersecurity Framework created?
Former President Barack Obama signed Executive Order 13636 in 2013, titled Enhancing Critical Infrastructure Cybersecurity, which laid the foundation for the NIST Cybersecurity Framework that was published in 2014.
Former President Donald Trump's 2017 cybersecurity executive order went a step further and made the framework created by Obama's order federal government policy.
NIST CSF version 2.0 was created in conjunction with the March 2023 National Cybersecurity Strategy under President Joe Biden.
What's new in version 2.0 of the NIST Cybersecurity Framework?
Version 2.0 of the NIST CSF expands the scope of the framework from critical infrastructure to organizations across all sectors and adds a new emphasis on governance. The governance part positions cybersecurity as one of the most important sources of business risk that senior business leaders should consider, along with finance, reputation, and others.
The NIST CSF 2.0 includes quick start guides, reference tools, and organizational and community profile guides. The reference tools were created to provide organizations with a simplified way to implement the CSF compared to version 1.1.
NIST CSF version 2.0 adds:
- The “govern” function, which focuses on how organizations can make informed decisions regarding their cybersecurity strategy.
- Implementation examples and informative references, which will be updated online periodically
- Organizational profiles, which can help you determine your current state in terms of cybersecurity and what state you might want to move to.
What are the 6 main activities of the NIST Framework?
As of Version 2.0 of the NIST Framework, these are the six core activities: identify, protect, detect, respond, recover, and govern. These activities, or functions, of the NIST Framework are used to organize cybersecurity efforts at the most basic level.
What are the four components of the NIST cybersecurity framework?
The framework is divided into four components: Core, Organizational Profiles, Levels and Informational References.
Center
The core component is “a set of activities to achieve specific cybersecurity outcomes and references examples of guidance to achieve those outcomes.” Furthermore, it is divided into three elements: functions, categories and subcategories.
- Features: This section explains the six functions: Identify, Protect, Detect, Respond, Recover, and Govern. Together, these six functions form a high-level approach to protecting systems and responding to threats. Think of them as your basic incident management tasks.
- Categories: Each role contains categories that are used to identify specific tasks or challenges within it. For example, the protection function could include access control, identity management, data security, and platform security.
- Subcategories: These are additional divisions of categories with specific objectives. The data security category could be divided into tasks such as protecting data at rest, in transit and in use or creating, protecting, maintaining and testing backups.
Organizational profiles
Profiles are both outlines of an organization's current cybersecurity status and roadmaps toward CSF goals for stronger security postures. NIST said having multiple profiles, both current and objective, can help an organization find weaknesses in its cybersecurity implementations and make it easier to move from lower to higher levels.
Profiles help connect roles, categories, and subcategories to the business requirements, risk tolerance, and resources of the larger organization you serve.
Levels
There are four levels of implementation, and while the CSF documents do not consider them to be maturity levels, the higher levels are considered a more complete implementation of the CSF standards to protect critical infrastructure. NIST considers the levels to be useful in informing an organization's current and target profiles.
- Tier 1: Called partial deployment, Tier 1 organizations have a reactive, ad hoc cybersecurity posture to protect their data. They have little awareness of organizational cybersecurity risk and any plans implemented are often performed inconsistently.
- Level 2: At the so-called risk-informed level, organizations may be approving cybersecurity measures, but implementation is still piecemeal. They are aware of the risks, have plans, and have adequate resources to protect themselves from a data breach, but they are not proactive.
- Level 3: The third level is called repeatable, meaning that an organization has implemented NIST CSF standards across the enterprise and is capable of repeatedly responding to cyber crises. The policy is applied consistently and employees are informed of the risks.
- Level 4: This level, called adaptive, indicates full adoption of the NIST CSF. Adaptive organizations are not only prepared to respond to cyber threats: they proactively detect threats and predict problems based on current trends and their IT architecture.
Informative references and other online resources
The Informative References provided with Version 2.0 of the CSF are documentation, implementation steps, standards, and other guidelines. A good example in the manual Windows update category would be a document that describes the steps to manually update Windows PCs. In version 2.0, informational references, implementation examples, and quick start guides can be found through the NIST CSF website or the CSF document.
When is the NIST Cybersecurity Framework updated?
As the needs of organizations change, NIST plans to continually update the CSF to keep it relevant. CSF updates are made as part of NIST's annual CSF conference and take into account feedback from industry representatives, via email, and through requests for comments and requests for information that NIST sends to large organizations.
What organizations can use the NIST Cybersecurity Framework?
The NIST CSF affects everyone who touches a computer for business purposes. IT teams and CXOs are responsible for implementing it; Regular employees are responsible for following their organization's safety standards; and business leaders are responsible for training their security teams to protect their critical infrastructure. Specifically, the new NIST CSF 2.0 governance feature includes communication channels between executives, managers, and professionals—anyone who has a stake in the technological health of the enterprise.
The degree to which the NIST CSF will affect the average person will also not diminish over time, at least not until it is widely implemented and becomes the new standard in cybersecurity planning.
How can I implement the NIST Cybersecurity Framework?
Get started on implementing the CSF by visiting the NIST Cybersecurity Framework website. Of particular interest to IT decision makers and security professionals is the NIST Framework Resources page, where you will find methodologies, implementation guidelines, case studies, educational materials, example profiles, and more.
“The CSF does not prescribe how outcomes should be achieved,” NIST notes in the framework. “Rather, it links to online resources that provide additional guidance on practices and controls that could be used to achieve those results.”
The NIST CSF can improve the security posture of organizations large and small, and could potentially position you as a leader in forward-thinking cybersecurity practices or prevent a catastrophic cybersecurity event.
