The National Institute of Standards and Technology (NIST) published its Cybersecurity Framework (CSF) as a resource and guide for organizations looking to build and update their cybersecurity program. The NIST CSF is an optional framework for most organizations; however, its guidance extends to many other optional and mandatory policies and standards.
The NIST CSF has existed since 2014 and has undergone several updates since. However, a recent overhaul of the framework was designed to address evolving cybersecurity threats and some of the primary shortcomings of corporate cybersecurity programs.
Inside the NIST CSF Changes
Version 2.0 of the NIST CSF will include a wide range of changes. Some of the most significant areas of focus include supply chain management, corporate security governance, metrics and measurement, and integration of existing frameworks.
Supply Chain Management
Supply chain attacks have been a growing threat to corporate cybersecurity in recent years. Companies face a range of supply chain security threats, including the compromise of trusted partners and vendors — such as the SolarWinds hack — and the potential for vulnerable code or malicious functionality to be inserted into trusted third-party libraries and code — such as Log4j.
Supply chain management will be one of the core changes included in the new version of the framework. Historically, many companies have lacked visibility into their supply chains and the risk that they pose. These updates will provide guidance for companies looking to create or mature a third-party risk management (TPRM) program.
Security Governance
A common challenge that security departments face is a lack of board access and representation. Most C-level executives come from a non-technical, business background, and CISOs often report to the CIO rather than the CEO. As a result, executives can lack visibility into corporate cybersecurity risk, and security teams can struggle to communicate their needs and impact.
Prompted by Executive Order 13636, Improving Critical Infrastructure Cybersecurity, and Presidential Policy Directive 21 (PPD-21), NIST CSF 2.0 will include additional guidance regarding cybersecurity governance. As part of this, the framework will highlight the responsibility that senior leadership has for corporate cybersecurity. The updates also discuss how executives can manage this responsibility by implementing an effective cybersecurity risk management strategy.
Metrics and Measurement
One of the main contributors to cybersecurity’s governance challenges is the difficulty of measuring the effectiveness of a cybersecurity program. Cybersecurity’s main impact is preventing or mitigating cyberattacks, and it can be difficult to estimate the exact amount of money that the program saved.
In version 2.0 of the CSF, NIST will include additional guidance for measuring and assessing a cybersecurity program. With the ability to more accurately measure program maturity and effectiveness, an organization can better calculate ROI and perform strategic planning to further mature the program.
Framework Integration
Like many regulations and standards, the NIST CSF is rather slow-moving. The standard is revised every few years and is facing its first major overhaul in nearly a decade.
Since its creation, many new laws and standards have emerged that focus on areas such as privacy. The update to the standard will include elements from resources such as NIST’s Privacy Framework.
How MorganFranklin Can Help
The NIST CSF is a non-binding standard, so compliance is not an issue for most organizations outside of those selling to and servicing the federal government. However, the recommendations and guidance that it provides can be invaluable for an organization looking to improve its protection against cyber threats or maintain compliance with other regulations that draw from the standard.
MorganFranklin has deep expertise in supply chain risk management and designing and assessing cybersecurity programs. Our analysts can help your organization to develop and execute a strategy for implementing the new recommendations of the updated NIST CSF.
