As traditional cybersecurity focus areas have shifted to a broader set of risks, including software — and the software supply chain — one of the most enduring cybersecurity frameworks has received a facelift to match. The National Institute of Standards and Technology (NIST) has finalized and released its NIST Cybersecurity Framework (CSF) 2.0, the first major overhaul of the tool since it was rolled out in 2014.
In the past, the CSF was seen as a vehicle for protecting critical infrastructure, such as hospitals and power plants. With this latest version of the CSF, NIST hopes to expand its relevance to all audiences, from the smallest schools and nonprofits to the largest agencies and corporations, regardless of their degree of cybersecurity sophistication.
Prior versions of the CSF were built around five key functions — identify, protect, detect, respond, and recover — but version 2.0 adds a sixth: govern. Governance encompasses how organizations make and carry out informed decisions on cybersecurity strategy. The CSF’s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside finance and reputation, for example.
Kevin Stine, chief of NIST’s Applied Cybersecurity Division, said in a statement about the new framework:
“Developed by working closely with stakeholders and reflecting the most recent cybersecurity challenges and management practices, this update aims to make the framework even more relevant to a wider swath of users in the United States and abroad.”
The govern function is the most significant change because of its emphasis on cybersecurity supply chain risk management (C-SCRM) and secure software development. At five years old, CSF 1.1 was overdue for an update that reflects the modern threat landscape, said Ben Chappell, CEO of Apona Security.
"The expansion into supply chain risks and source code review is critical, as witnessed by Log4J attack and others. Organizations are, and should be, responsible for the code that is both borrowed and developed."
—Ben Chappell
Here are the key changes in CSF 2.0 — and how your SecOps and AppSec teams can use it to improve your organization's risk management.
[ See Webinar: Breaking Down CSF 2.0 | Special: NIST CSF 2.0 and C-SCRM for SSCS Risk Management ]
Supply chain security addition is a 'huge improvement'
ReversingLabs field CISO Matt Rose said the inclusion of new governance guidance makes version 2.0 a "huge improvement" over CSF 1.1 — and an essential tool given the rise of software supply chain attacks.
"It's an improvement because the threats, vulnerabilities, and methods of attack have evolved rapidly over the past few years. Trying to stop the new landscape of cybersecurity risk with old techniques will result in an ineffective cybersecurity program."
—Matt Rose
The govern function is also receiving more broad praise for risk management. Bud Broomhead, CEO of Viakoo, said the addition was critical, adding that it should include ensuring that all systems are visible and operational and that there are enterprise-level security processes and policies in place.
"The addition of a sixth function, for govern, is a clear message to organizations that to be successful, there also must be actively managed policies and processes underpinning the other functional areas."
—Bud Broomhead
Brett Tucker, cyber-risk technical manager in the CERT division at Carnegie Mellon University's Software Engineering Institute, said the govern addition is a "stark" improvement over the original mode, because risk analysis and management must lend themselves to sound risk-based decision making. "The decomposition of a governance structure into components such as communication paths, authority, and responsibilities should empower organizations to delegate risk-based decision making to appropriate levels of the organization," he said.
Chad McDonald, CISO of Radiant Logic, said the govern function was key to a taking a comprehensive approach to risk management. "Govern empowers security executives to prioritize, manage, and communicate overall security strategy," he said.
Aligning security with the business is key
Making the govern function a pillar in the framework reinforces the idea that cybersecurity should not just be a reactive procedure for organizations, but rather needs to be aligned with daily business decisions, said Eduardo Azanza, CEO of Veridas.
"This shift in perspective will empower organizations to make informed choices and contribute to their long-term success."
—Eduardo Azanza
Larger organizations aren't strangers to the idea of governance. Many of them have governance, risk management, and compliance (GRC) programs in place to align IT with business objectives.
Tim Morris, chief security advisor at Tanium, said the new function is praiseworthy given that governance is a large umbrella and an essential part of any cybersecurity program.
"Frameworks, standards, and guidelines lay the foundations of a common language and methodologies that help cross-functional organizations work together. It is also beneficial for communication between technical and nontechnical teams."
—Tim Morris
Roger Grimes, a defense evangelist at KnowBe4, said that making governance a pillar of the framework indicates how important it is to the whole program. And it's timely.
"That is good, especially since the SEC made governance an official senior leadership requirement for all U.S. public companies. NIST’s inclusion is just going to continue to indicate the seriousness that senior management needs to assign to cybersecurity governance for all organizations around the world."
—Roger GrimesRichard Aviles, a senior solution architect at DoControl, said the govern function connects the business/organizational aspect to cybersecurity, for relevance and prioritization, to the people and policy dimensions. "The need for well-informed and correctly communicated policies is well understood, so its addition to the NIST 2.0 CSF helps create a more complete structure around which organizations can build," he said.
Aviles said that on first read, the software supply chain security guidance in CSF 2.0 "appears well thought out and comprehensive, if not complete."
Continuous improvement is the way forward
The new framework also encourages organizations to continuously improve their cybersecurity posture, and it emphasizes risk management. For example, CSF 2.0 references processes such as continuous monitoring, vulnerability assessments, penetration testing, and red-team exercises that provide ongoing visibility and drive proactive enhancements.
It also is designed to be customized to an organization's risk appetite and operational requirements. This accommodates a variety of implementation paths based on a company's specific priorities.
ReversingLabs' Rose said flexibility was essential for the CSF being relevant and practical for a range of companies.
"The CSF continuing to be very flexible and agile is very important for organizations to address risk management in their own specific way. There are many different ways to address risk management."
—Matt Rose
CSF 2.0 also encourages continuous improvement by allowing organizations to benchmark and mature their capabilities in an incremental way through a tiered system.
"The increased focus on measuring the effectiveness of an organization's cybersecurity program is the best way for organizations to continuously improve their cybersecurity posture. How can you improve what you already have implemented if you can't compare it to something?"
—Matt Rose
NIST has done a lot of work to connect CSF 2.0 with other NIST standards in the text of the framework itself, said Paul Hurley, CEO of the cybersecurity consulting and testing company Securicon.
"This will provide organizations with a pathway to cyber-readiness beyond basic CSF protections and promote an in-depth understanding of why they exist. Soon there will even be a reference tool that enables readers to jump between CSF 2.0 and the latest version of related NIST documentation — a huge aid to ongoing improvement efforts."
—Paul Hurley
Building out a mature risk management approach
The functional nature of the CSF anchors the activities of an organization to foundational practices of cyber-risk management, said CERT's Tucker.
"Standardized practices may be measured for their degree of maturity, which will help organizations to prioritize investment in new tools and capabilities. Furthermore, the functional aspects of the CSF connect the cyber-professional to the management team in a manner that aligns technical expectations with the practical considerations of resource investment."
—Brett Tucker
The expansion of NIST's CSF marks a pivotal step toward securing U.S. industries, said Veridas' Azanza.
"This forward-looking initiative demonstrates NIST’s recognition of the universal relevance of cybersecurity and takes into consideration the unique challenges faced by various sectors. This inclusive approach will set in motion the path to a safer digital landscape and leaves no one behind."
—Eduardo Azanza
John Bambenek, President of Bambenek Labs and a seasoned threat hunter, said CSF 2.0 tackles one of the perennial problems in cybersecurity: how to quantitatively talk about security to leadership and the board.
"Expanding these frameworks to all organizations, and not just critical infrastructure, opens the door to being able to do so in a consistent way across the economy and hopefully will lead to more buy-in of using security to reduce business risk."
—John Bambenek
CSF 2.0 makes risk management more accessible
As part of its efforts to expand the audience for the CSF, NIST enlarged its core guidance and developed related resources to help users get the most out of the framework. These resources are designed to provide different audiences with tailored pathways into the CSF and make the framework easier to put into action, NIST explained.
Laurie E. Locascio, Department of Commerce undersecretary for standards and technology and NIST’s director, said in a statement that CSF 2.0 now goes beyond a single document and offers a suite of guidance:
“CSF 2.0, which builds on previous versions, is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve.”
To build on that, a new CSF 2.0 reference tool has been added to simplify the way organizations can implement the framework. The reference tool allows users to browse, search, and export data and details from the CSF’s core guidance in human-consumable and machine-readable formats. Also, a searchable catalog of references is mapped to the framework, which allows an organization to cross-reference the CSF’s guidance to more than 50 other cybersecurity documents.
Those resources can be contextualized through NIST's Cybersecurity and Privacy Reference Tool (CPRT), which contains an interrelated, browsable, and downloadable set of NIST guidance documents, including the CSF. The CPRT also offers ways to communicate ideas from the resources to both technical experts and the C-suite, so that all levels of an organization can stay coordinated.
Claude Mandy, chief evangelist for data security at Symmetry Systems, stressed that the big takeaway with CSF 2.0 is the govern function, which is a recognition that the risk landscape has shifted.
"The inclusion of the govern function is recognition that mature and defensible security is only possible with clear governance to make decisions on what is required. Although this was implicit in the broader NIST Cybersecurity Framework, the explicit inclusion as a function elevates the importance of it."
—Claude Mandy
Ken Dunham, director of the threat research at Qualys, said CSF 2.0 would be well received — and have a big impact.
"The NIST Cybersecurity Framework is considered by many to be the grandfather of frameworks, defining what must exist in a cybersecurity program. CSF is, and will continue to be, a strong foundation upon which any solid cybersecurity program may be built, as organizations seek to become framework-driven to iteratively reduce risk."
—Ken Dunham
