On the 26th of February, the American National Institute of Standards and Technology (“NIST”) released the second rendition of their Cyber Security Framework (“CSF”). Whilst this is not the first update to the CSF with V1.1 releasing in 2018, this marks the first time that NIST released a major revision to their CSF.
What is the Cyber Security Framework?
In brief, the CSF was created to serve as a guideline and a standard to aid organisations manage their cybersecurity risks. With its main tenets being Identify – Protect – Detect – Respond – Recover, it aims to aid organisations throughout every facet of cybersecurity.
Following NIST’s request to public feedback as to needs to be improved within the CSF, by virtue of the 2023 Discussion Draft: The NIST Cybersecurity Framework 2.0 Core with Implementation Examples, NIST has officially released the new updated framework.
What has changed from V1.1 to V2.0?
Whilst the new revision has plenty of minor changes, the major changes can be summarised to the following:
Title Simplification: The framework has undergone a notable name change, evolving from the formal “Framework for Improving Critical Infrastructure Cybersecurity” to the more concise “Cybersecurity Framework.” This adjustment aligns with its broadened applicability, now catering to a diverse array of organisations as was originally envisioned by NIST.
Enhanced Practicality: Users will benefit from newly incorporated implementation examples, designed to offer actionable insights and facilitate the attainment of CSF subcategories. In addition, revisions and expansions to the framework Profiles showcase their versatility across various organisational objectives.
Introduction of the ‘Govern’ Function: An addition to the framework comes in the form of the ‘Govern’ Function, offering valuable organisational context and delineating roles and responsibilities crucial for crafting robust cybersecurity governance models. Notably, a dedicated category within this Function addresses the pressing concern of cybersecurity supply chain risk management.
Emphasis on Continuous Improvement: The latest update places increased emphasis on the continual enhancement of cybersecurity measures, notably through the introduction of an “Improvement Category” within the Identify Function. This strategic shift underscores the framework’s commitment to fostering ongoing security evolution.
—
Need assistance with cybersecurity policies within your organisation? GTG is here to help! Contact Dr Ian Gauci for further information.