A decade after releasing its landmark national cybersecurity framework, the National Institute of Standards and Technology released Monday version 2.0an updated document that focuses on governance and supply chain issues for public and private sector entities.
The new guidelines, which outline “high-level cybersecurity outcomes that can be used by any organization…to better understand, assess, prioritize and communicate its cybersecurity efforts,” add a sixth essential function – “govern » – to the pillars stated previously: “identify”, “protect”, “detect”, “respond” and “recover”.
“Governing” focuses on how “an organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored,” the framework states, and aims to address implementation and monitoring a cybersecurity strategy.
“‘Govern’ really represents the fact that we need to bring this topic into the discussion room to discuss it,” Laurie Locascio, NIST director and undersecretary of Commerce for standards and technology, said at a conference Press. Aspen Digital Event Monday. “This required a lot of discussion between all stakeholders because it is a big change” going from five main functions to six in the framework.
Locascio noted that 10 years ago, before the launch of NIST’s initial CSF, there had been discussions about the “government” elements, but agency leaders “weren’t really ready to integrate them yet.” . But it was a priority for the latest iteration of the framework, particularly the focus on the supply chain, which is under the “govern” pillar.
The paper’s focus on supply chain risks covers how various types of technologies leverage a complex outsourcing ecosystem, which involves geographically diverse routes for private and public sector organizations offering a variety of services. In the updated CSF, NIST highlights Cybersecurity Supply Chain Risk Management (C-SCRM) as a systemic process to manage exposure to cybersecurity risks by developing appropriate “strategies, policies, processes and procedures.”
Along with the overall framework, NIST published the CSF Quick Start Guides (QSG) with implementation examples that allow entities to “view and download theoretical examples of concise, action-oriented steps to help achieve CSF 2.0 subcategory outcomes in addition to the guidance provided in the informative references”.
In creating the new framework, Locascio said NIST took into account stakeholder feedback regarding the project. CSF documentbut could not accept every comment.
“You come to consensus, you have a broader discussion, but every conversation, I think, has led to a better place,” Locascio said. “When we didn’t agree to something word for word… there was a reason and we talked about it together. I think it also breeds trust because we’ve been very transparent about the process, very openly engaged and really valued your feedback.