NIST framework updates

Last week, the National Institute of Standards and Technology (NIST) released a draft version of their Cybersecurity Framework (CSF) 2.0.  Below we analyse the changes, what they could mean for your organisation and the opportunities they present.

Credit: N. Hanacek/NIST

While the five key NIST pillars of Identify, Protect, Detect, Respond and Recover all remain, there is an underlying new strand in Govern.  This comes after more than a year of community feedback to NIST.  The changes come about to reflect the widespread adoption of the framework far beyond the initial intended use of the CSF for critical national infrastructure and high-regulation, high risk industries such as Finance, Healthcare and Energy.  These changes have been implemented with everyone in mind to SMEs and not-for-profits.

There is also more comprehensive guidance on implementation of CSF, tailoring it to relevant scenarios for security leaders and implementation examples for each sub-category.  With greater structure and guidance to follow now, particularly for those with limited time and resources to manage their business risk aligned to the framework, many valuable outputs are achieved, enabling your organisation to innovate, differentiate and grow, including:

• Greater interpretation, understanding, prioritisation and management of business risks;
• The ability to utilise the framework to tailor and flex an approach to managing risk which works for your environment;
• Promoting a culture of security awareness;
• Greater ability to assess and manage third party risk;
• Bringing greater structure to incident response planning; and
• Proving to your clients and other stakeholders your commitment to managing risk and protecting them, providing you with an additional competitive advantage and differentiator

As highlighted, this updated version is in draft currently and subject to further amendments, though it has been stated there are no plans for further drafts; feedback is being taken on the changes up to 4th November 2023.  Planned publication of the final version will be early 2024.

If you want to get ahead of the curve, understand how this potentially impacts your organisation and understand how Amicis are supporting others in readiness for these changes, enquire at hello@amicisgroup.co.uk

For the full press release, follow the feature here https://www.nist.gov/news-events/news/2023/08/nist-drafts-major-update-its-widely-used-cybersecurity-framework