The final version of the NIST Cybersecurity Framework 2.0, which was first introduced as a draft in August 2023, has now been officially released. This updated framework builds upon the foundational principles of its predecessor, working closely with the cybersecurity community to incorporate new insights and feedback, thereby enhancing its applicability and effectiveness in addressing today’s evolving cyber threats.
What is the NIST Cybersecurity Framework 2.0?
NIST Cybersecurity Framework 2.0, released by the National Institute of Standards and Technology (NIST), provides guidance for reducing cybersecurity risks by assisting organizations in understanding, assessing, prioritizing, and communicating these risks, as well as implementing actions and resources to minimize them. It is designed for organizations of all sizes, from small businesses to large enterprises, across various sectors including industry, government, academia, and nonprofit organizations. It applies to any organization’s cybersecurity program, regardless of its maturity level. NIST CSF 2.0 features a reference tool that cybersecurity teams can utilize to collect guidance data, alongside a searchable catalog and a broad array of references designed to assist in the implementation of the new framework.
What is the CSF Core?
The CSF Core is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. It provides a comprehensive yet flexible framework to ensure an organization’s cybersecurity measures are aligned with its risk management priorities. According to the CSF 2.0 document it is “a taxonomy of high-level cybersecurity outcomes that can help any organization manage its cybersecurity risks. The CSF Core components are a hierarchy of Functions, Categories, and Subcategories that detail each outcome” (National Institute of Standards and Technology).
Overview of Framework Core Functions (FCS)
The CSF Core is divided into six main Framework Core Functions (FCS), which together provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. These functions are:
GOVERN (GV): The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.
This Function offers outcomes to guide an organization in achieving and prioritizing the results of the other five Functions, within the context of its mission and stakeholder expectations.
IDENTIFY (ID): The organization’s current cybersecurity risks are understood.
Understanding an organization’s assets, suppliers, and cybersecurity risks allows for prioritizing efforts in line with its risk strategy and mission needs, as outlined in “Govern.” This function also identifies ways to enhance policies and practices supporting risk management across all six functions.
PROTECT (PR): Safeguards to manage the organization’s cybersecurity risks are used.
After identifying and prioritizing assets and risks, the “Protect” function secures assets to reduce the chance and impact of cyber events, and to enhance the potential for seizing opportunities. It covers identity management, access control, training, data security, platform security, and technology resilience.
DETECT (DE): Possible cybersecurity attacks and compromises are found and analyzed.
The “Detect” function is used to identify and analyze unusual activities, potential security breaches, and warning signs of cyber attacks, facilitating effective incident response and recovery efforts.
RESPOND (RS): Actions regarding a detected cybersecurity incident are taken.
The “Respond” function enhances the capability to limit the impact of cybersecurity incidents. It encompasses managing incidents, analyzing them, reducing their effects, reporting on them, and communicating about them.
RECOVER (RC): Assets and operations affected by a cybersecurity incident are restored.
The “Recover” function aids in quickly restoring normal operations after a cybersecurity incident, lessening its impact and supporting clear communication during recovery efforts.
Each function is divided into Categories that provide more specific guidance. These categories serve as high-level topics to address within each function. Subcategories are further detailed actions or controls within each category. They provide specific tasks and recommendations that organizations can implement to achieve the objectives of the framework.
The framework also includes implementation examples and informative references such as standards, guidelines, and best practices that organizations can use to implement the framework effectively.
A Step-by-Step Guide to Using the Framework
Now, let’s briefly describe and explain the step-by-step procedure for utilizing the NIST Cybersecurity Framework 2.0, guiding organizations from scoping the Profile to implementing continuous improvement strategies. See the schematic representation of the procedure below.
Current Profile and Target Profile in the CSF 2.0
Based on the selected outcomes from the above-mentioned Framework Core Functions (FCS), the organization has to begin creating a Current Profile and a Target Profile.
Current Profile covers the Core’s outcomes that an organization is currently achieving (or attempting to achieve) and characterizes how or to what extent each outcome is being achieved.
A Target Profile covers the desired outcomes that an organization has selected and prioritized from the Core for achieving its cybersecurity risk management objectives. A Target Profile takes into account anticipated changes to the organization’s cybersecurity posture, such as new requirements, new technology adoption, and cybersecurity threat intelligence trends.
How To Create CSF Profiles
Creating Profiles means filling in the elements for each selected Core outcome. Initially, company must decide which CSF outcomes it aims to achieve or assess. Subsequently, it is essential to identify the types of information necessary for the chosen CSF outcomes and properly document this information.
The Framework does not prescribe specific standards, guidelines, or practices to meet the outcomes. Rather, it gives organizations the flexibility to assess their own cybersecurity outcomes in different ways and does not prescribe a single approach. To prepare the Profile, the company must document the high-level facts and assumptions that will form the basis of the Profile and define its scope. It is crucial to gather the information needed to prepare the Profile. These information may include:
organizational policies,
risk management priorities and resources,
enterprise risk profiles,
business impact analysis (BIA) registers,
cybersecurity requirements and standards followed by the organization,
practices and tools (e.g., procedures and safeguards),
work roles.
Comparing Created Current Profile and Target Profile
In the next step Profiles are compared and an action plan is created. Identifying and analyzing the gaps between Current and Target Profiles is essential. Through gap analysis, organizations pinpoint discrepancies and develop a prioritized action plan, utilizing tools like risk registers and Plans of Action and Milestones (POA&M). This plan acts as a roadmap to systematically address vulnerabilities and advance the organization’s cybersecurity maturity towards its desired state.
Implementing the Action Plan and Embracing Continuous Improvement
Implementing the action plan and updating the Organizational Profile are crucial final steps in the process. By following the action plan, organizations can effectively address identified gaps, steering them closer to their Target Profile. The action plan could be designed with an overarching deadline or set to be an ongoing effort, depending on the specific needs and strategies of the organization.
Recognizing the significance of continual improvement, it’s essential for organizations to regularly revisit and repeat these steps as often as necessary. This iterative process ensures that the organization remains aligned with its cybersecurity goals and adapts to evolving threats and changes in its operational environment.
What are Tires in NIST CSF 2.0
While fulfilling the created action plan organization can choose the Tire to follow. Selected Tire sets the overall tone for how cybersecurity risks will be managed within the organization, and determines the effort required to reach a selected Tier. The Tiers characterize the typical rigor of the cybersecurity risk governance and management practices throughout an organization, including third-party cybersecurity risks. There are four Tires:
Tier 1: Partial,
Tier 2: Risk Informed,
Tier 3: Repeatable,
Tier 4: Adaptive.
Where PAM Fits In: Strengthening Cybersecurity Across Key Framework Functions
Privileged Access Management (PAM) plays a crucial role in addressing most recent cybersecurity challenges, closely aligning with the “Protect” (PR) and “Detect” (DE) functions of the NIST CSF 2.0. By managing and monitoring privileged accounts, PAM systems are essential for protecting critical infrastructure and sensitive data from unauthorized access and potential breaches. They directly enhance the “Protect” function through the enforcement of strict access controls and implementation of multi-factor authentication, in line with the principle of least privilege, while also generating logs for comprehensive monitoring and auditing. PAM supports also the “Detect” function through continuous monitoring for unusual access patterns or security incidents, enabling rapid detection of potential threats. This entails closely monitoring the use of technology within the organization and the actions and services of external providers to identify security threats at an early stage.
Beyond these direct contributions, PAM also offers invaluable indirect support to the “Respond” (RS) function by providing the necessary data for analysis, which helps in identifying the events and root cause of an incident.
Conclusion
Remember, the NIST CSF 2.0 is an essential tool for any business aiming to secure its digital presence and operational technology. It offers users extensive NIST resources, guiding them towards building robust and secure systems. By adopting this framework, a business can safeguard its assets and provide a secure environment for its users, thereby setting a standard in cybersecurity practices.