A strong inverted example is how governments and court systems have struggled to keep up with emerging concerns in the evolving digital landscape. Policy gaps present loopholes that can be exploited. The same applies to information systems that don’t focus on improving cybersecurity against changing threats and attack vectors.
So it should come as no surprise that, despite regular updates since its initial implementation, the National Institute of Standards and Technology’s (NIST) cybersecurity framework (CSF) is being updated to version 2.0. More than just a simple patch, this new version represents a major overhaul of the framework and directly responds to new threats and technologies that have emerged in the past decade.
Let’s take a closer look at what to expect and what the changes will mean for your organization.
Why Is NIST Updating Its Cybersecurity Framework?
The NIST cybersecurity framework is a security standard used both domestically and internationally in both the private and public sectors. In the US, federal organizations are required to implement and adhere to the NIST and can be penalized for any breach of compliance.
In other words, the NIST CSF serves as a digital counterpart to OSHA safety standards and other policies that ensure safe and secure work processes. It’s designed to serve as a foundation for the implementation of cybersecurity management. And much like software updates, the framework has been retooled regularly since its inception. But it’s not foolproof, and it’s difficult for any policy or system to protect against threats that haven’t been invented yet.
Most importantly, the Institute has identified at least three axes on which the framework currently provides insufficient support to InfoSec efforts:
- Managing risks related to the supply chain
- Facilitating consistency and standardization for security evaluations and assessments
- Providing ample instruction and guidance regarding framework implementation
This is why the upcoming 2.0 update, making improvements for these three aspects of the framework, is the driving force for much of the overhaul.
Cybersecurity Frameworks and Supply Chain Risk Management
Many of the biggest privacy and data breaches in the past few years have been tied to issues with supply chains and third-party vendors. It’s difficult to protect what’s not currently in your care, whether physical devices or digital assets.
But organizations are often still liable for the critical infrastructure cybersecurity and privacy of the information they manage regardless of who actually performs tasks related to those assets. These are bucks that are not easy to pass; contracting an external organization to dispose of data-bearing drives, for example, doesn’t absolve a business of responsibility when those drives are mishandled after the hand-off.
This is a major area of concern, and the NIST 2.0 update is working to address the unique problems an increasingly interconnected virtual landscape faces.
Clarity of Framework Guidance
The needs, limitations, priorities, and pain points of a given organization’s digital environment are unique to that particular use case. The differences between each cybersecurity program regarding risk assessment and incident response can be so drastic as to make standardization and uniform approaches next to impossible.
NIST has traditionally responded to this need for fluidity and flexibility by leaving much of the implementation up to the teams doing the work. But while that can work for experienced teams with gracious budgets and timelines, most InfoSec and I&O departments are working under much tighter constraints and limited resources.
And, in many cases, in the absence of clear direction on how to shore up the digital defenses, staff are forced to make hard decisions and lean on suboptimal practices if they want to measurably improve security at all.
The forthcoming update also intends to address this shortcoming, providing better direction and instruction regarding specific techniques, policies, tactics, technologies, and threats.
Making the NIST Framework More Security Risk Assessment-Friendly
Just as dynamic circumstances make standardizing implementation difficult, it has historically been a challenge to evaluate the level of risk a system faces and the robustness of the system’s security in protecting against that risk. But without a way to grade security posture, both internally and for external partners, decisions regarding security improvements and third-party vendor agreements become veritable minefields.
The NIST CSF overhaul aims to make it easier for organizations and industries to conduct these assessments and for vendors who perform them to standardize and distribute the results.
“Governance” as a New, Cross-Cutting Function
A final major change comes in the form of the new cybersecurity governance function. With so many industries now being forced to adopt or comply with mandated regulations, it’s more important than ever for teams to have well-established processes for governing their systems and reducing risks.
Not much is available currently about how this new function will impact the framework as a whole, but professionals should be looking for the new framework to make cybersecurity governance a major component of building and maintaining security posture moving forward.
When to Expect the NIST CSF 2.0 Rollout
NIST has been working hard drafting, testing, and revising their updates throughout 2023. The feedback and input from organizations in various industries and verticals have helped shape many of the changes. While the process is a lengthy one, NIST expects an early 2024 release for version 2.0.
Preparing for the upcoming release is a good idea for any team that relies on NIST’s framework, but it can be hard to prepare for something when you don’t know the specifics. Looking at the available Cybersecurity Framework Version 2.0 Concept Paper and keeping up with any new NIST update can help, but the final release will almost certainly be markedly different than the current draft.
Both in the meantime, and in the wake of the upcoming release, RiskRecon is here to help. By equipping your organization with a wealth of cybersecurity tools and expertise, RiskRecon can help you assess your security posture, improve incident response, remediate areas of weakness, and navigate future threats and cybersecurity risk management.
Protecting your information systems is a battle you don’t have to fight alone. Get full visibility of the “battlefield” with RiskRecon by Mastercard.