The National Institute of Standards and Technology’s Cyber Security Framework (NIST CSF) was originally developed to guide cyber best practices for ‘critical infrastructure’, including power and water plants. CSF has been embraced as a framework for any size and sector organization, and as such, the wording ‘for critical infrastructure’ has been dropped.
One of the biggest changes in version 2.0 of the NIST CSF is the addition of Govern to the Framework Core Functions—joining Identify, Protect, Detect, Respond, and Recover—aimed at organizing cybersecurity outcomes at their highest level.
As might be expected, with the new emphasis on Governance, risk plays a much bigger role in the subcategories themselves. In version 1.1, risk was mentioned 28 times, and in 2.0, it is mentioned 47 times. The quality and effectiveness of your risk program are pivotal to achieving your alignment target.
A greater emphasis is placed on governing organizations’ supply chains. This makes sense as organizations become more cyber-resilient. Threat actors have pivoted to supply chain attacks as their attack vectors.
A new category called ‘improvements’ focuses on building a program and maintaining and improving it over time. This aligns with Foresite’s adoption of Managed Compliance for ongoing tracking and reporting your alignment to NIST and/or other recognized framework(s).
The new ‘implementation examples’ can be helpful in showing how to implement and providing a deeper understanding of the controls.
NIST CSF 2.0 by the numbers – Functions increased from 5 to 6, categories from 23 to 21, subcategories from 108 to 106, and new subcategories 16.
According to NIST, the Govern function is designed to be “cross-cutting,” meaning it plays a crucial role in shaping how an organization implements the other functions. While all the framework functions are interconnected, Govern is specifically intended to unify and integrate them.
In practice, enhancing your Govern capabilities should lead to improvements across other functions and categories as well. Identifying weaknesses within the Govern function can help you pinpoint and address specific areas in other functions, ultimately boosting your overall effectiveness.
Find your perfect cybersecurity solution.
Foresite Cybersecurity offers a variety of solutions to help organizations find gaps, manage risk, and stay secure.