What’s New in NIST's Cyber Framework?
While the original framework does an “excellent” job of establishing what must be included in a security operations program, it required updates for clarity and modernization that are included in version 2.0, says Ken Dunham, cyberthreat director at Qualys’s Threat Research Unit.
“Based on how frameworks are designed and deployed, what is core to a SecOps program does not change quickly over time,” Dunham says. “But there is a need over a period of years to improve clarity, alignment and modernization.”
Version 2.0 represents an appropriate change management control to upgrade a stable and strong cybersecurity framework, he adds.
When policies better define or set clear thresholds for what passes a benchmark, there is a greater understanding of how to determine what security controls or criteria must be implemented to meet that baseline, says Alice Fakir, federal cybersecurity services partner at IBM.
“There’s a strong focus on timeliness and reporting as part of the framework update,” Fakir says. “This updated framework is calling for better awareness and improvement of security controls around supply chain and third-party risk, but adding that layer of communication is critical.”
Adding a Suite of Cyber Resources
NIST created a holistic approach in version 2.0 based on the principles of identify, protect, detect, respond and recover, says Jason Porter, CTO of Optiv + ClearShark.
“NIST provided this to demonstrate that the framework starts at your core and builds out from there,” Porter says.
For example, the Cybersecurity and Privacy Reference Tool features an interconnected repository of NIST guidance documents providing contextualization of these resources, including the framework, alongside other widely used references. The CPRT also facilitates communication of these concepts to both technical experts and executive leadership with the goal of fostering organizational coordination across all levels.
Quick-start guides are tailored to various user profiles including small businesses, enterprise risk managers and organizations aiming to enhance supply chain security.
DISCOVER: Agencies are considering fresh zero-trust security use cases.
The new CSF 2.0 Reference Tool is designed to streamline implementation by enabling users to browse, search and export data and details from the core guidance in both human-readable and machine-readable formats, Fakir says. The tool also includes a searchable catalog of references, enabling cross-referencing of current actions with the framework’s guidance and more than 50 other cybersecurity documents, including NIST’s Special Publication 800-53 Revision 5.
Version 2.0’s creation of more than a dozen community profiles is designed to give organizations within the same sector shared goals and outcomes as they face similar challenges, says Steve Vetter, senior global government strategist for Cisco.
“This has started a conversation, a sharing of data and a sharing of thoughts, ideas and approaches that are so critical overall,” Vetter says. “These profiles are now packaged in a way that that makes it much easier to determine your current state and where you want to get to. That is going to be very helpful.”