In this episode, Matt gives an overview of the National Institute for Standards and Technology (NIST)’s newest version of their Cybersecurity Framework (CSF). He points out what’s new in CSF 2.0, such as the addition of governance as a discipline, plus a greater focus on software supply chain security. 

Learn more

• -Related blog: NIST CSF 2.0: What it means for supply chain risk management
  
• -Blog: A timeline of federal guidance on software supply chain security
• -Report: Supply Chain Security Risk Report: Tooling Gap Leaves Orgs Exposed

Episode Transcript

MATT ROSE: Hi everyone, welcome to another episode of ReversingGlass. I'm Matt Rose, Field CISO at ReversingLabs. Today's episode is the recent release NIST CSF 2.0, or Cybersecurity Framework 2.0. This is kind of a big deal because it's actually been five years, yes, five years since the release of the CSF 1.0.

So I know about you, but there's been a lot of things that have changed in five years in cybersecurity, application security. New threats, new landscape of risk, new way development is being done and organizations are securing those development and infrastructure security activities. I was recently asked to chime in, if you will, on a article that was released.

It was written by a friend of mine, John Mello about, CSF 2.0, what's changed, what's better, what's interesting about it. And a lot of industry experts, big wigs, people that have hair, not me- I don't have any hair. Commented on this that they think it's actually a really good thing.

If you want to actually check out the article here and dig deeper, here's the URL across the screen. It's a article that was published on the ReversingLabs website. Great read. I suggest you jump on it, take a look if you have a free minute. Just gives a candid approach or a candid overview of CSF 2.0. 

That being said, you're probably wondering, okay, so what the heck is important about the CSF 2.0? One of the big things that's introduced because again, it's been five years, is the introduction of software supply chain security or supply chain security aspects to this, because guess what?

SolarWinds happened, it made everybody aware that supply chain risk is a big deal. It's important these days, so NIST actually identified that and included a lot of areas and discussion points around software supply chain security, providence of code and so on and so forth within this.

One of the other big areas is there's an additional discipline. Da da da da! There were five disciplines. One of the areas was actually expanded out into its own discipline. So now. In addition to identify let's do it this way. Identify, protect, detect, respond, and recover. Again, these were the core disciplines.

We also now have governance as part of the core disciplines. A lot of people really like this because how do you measure a program if you don't have governance, if you don't have identification of risk and what to do with it? So this is a big change and a change that people have been calling for. Some of the other things that people are really happy about is enhanced guidance.

I'll just put this as EG, so I don't have to write all that out. Enhanced guidance- greater emphasis on risk management. So risk management is very important to a program. How do you manage something if you don't know what it is or where you come from or where you're going? So enhancements around risk management, and then they've made it easier to read, easier to interpret. Because again, these are long documents. It's a lot of information. You don't want to be like stereo instructions and or an encyclopedia. If anybody knows or remembers what an encyclopedia was, the kind of leather bound books that you weren't allowed to touch as a kid.

It's easier to read and understand. So all these things combined together make CSF a great improvement. Again, it's been five years, so there's a lot of opportunity for new information to be in there. But if you're looking to have a program and a cybersecurity framework to work off of, the updates to CSF 2.0, not 1.1, but 2.0, you have a good resource. And to provide a little bit more information if you want to see what it looks like you can actually use- here is the announcement or the NIST Cybersecurity Framework 2.0 off of NIST's website. Check it out. It's definitely worth a read and a little bit of investigation to see if you want to adopt it now or figure out some areas that are important to you that you think will improve on what you're doing today.

Thank you for watching. I'm Matt Rose. This is ReversingGlass. Have a great day, everybody.