The National Institute of Standards and Technology (NIST) and its Cybersecurity Framework (CSF) serve as a compass for organizations navigating cybersecurity. With functions like Identify, Protect, Detect, Respond, and Recover, the framework provides valuable insights and best practices for managing cybersecurity risks.
Enter NIST CSF 2.0, a refined and enhanced version born from collaboration among global experts spanning various industries and locations. Its mission is clear: extend assistance to a diverse array of organizations worldwide, transcending geographical boundaries. The objective is simple yet impactful — to equip organizations with the knowledge and tools necessary to comprehend, evaluate, and effectively address cybersecurity risks.
To deliver on this promise, NIST CSF 2.0 highlights several core changes to deliver a more holistic framework. The following key changes are crucial to improving CSF to make it more globally relevant:
- Global applicability for all segments and sizes
- The previous scope of NIST CSF primarily addressed cybersecurity for critical infrastructure in the United States. While necessary at the time, it was universally agreed that expanding this scope was necessary to include global industries, governments, and academic institutions, and NIST CSF 2.0 does this.
- Focus on cybersecurity governance
- Cybersecurity governance is an all-encompassing cybersecurity strategy that integrates organizational operations to mitigate the risk of business disruption due to cyber threats or attacks. Cybersecurity governance includes many activities, including accountability, risk-tolerance definitions, and oversight, just to name a few. These critical components map neatly across the five core pillars of NIST CSF: Identify, Protect, Detect, Respond, and Recover. Cybersecurity governance within NIST CSF 2.0 defines and monitors cybersecurity risk strategies and expectations.
- Focus on cybersecurity supply chain risk management
- An extensive, globally distributed, and interconnected supply chain ecosystem is crucial for maintaining a strong competitive advantage and avoiding potential risks to business continuity and brand reputation. However, an intense uptick in cybersecurity incidents in recent years has uncovered the extended risk that exists in our technology supply chains. For this reason, integrating Cybersecurity Supply Chain Risk Management into NIST CSF 2.0 enables this framework to effectively inform an organization’s oversight and communications related to cybersecurity risks across multiple supply chains.