As reported by Government Technology in late February, NIST Releases Cybersecurity Framework 2.0: “NIST released its first major update to the framework since 2014. The new version adds a key cybersecurity function, aims to support all sectors and is accompanied by the release of supplementary resources.”
Media coverage of CSF 2.0 has been widespread:
Dark Reading: CISO Sixth Sense: NIST CSF 2.0's Govern Function — “The introduction of the Govern function signifies a crucial industry acknowledgment that effective management is an integral part of the CISO role. In practical terms, the Govern function bridges a critical gap in the CISO's toolkit, allowing for a more comprehensive approach to management. Previously, CISOs encountered challenges in addressing key questions and concerns that crossed their desks, leading to gaps in their ability to manage effectively. They had no way to answer how well they were enforcing policies, whether they were progressing, or whether their latest investment had a significant impact on overall performance.”
SC Media: Top 3 NIST Cybersecurity Framework 2.0 takeaways — “The NIST Cybersecurity Framework is considered by many to be the grandfather of frameworks defining what must exist in a cybersecurity program,” Ken Dunham, cyber threat director at Qualys’ Threat Research Unit, said in an email to SC Media. “Significant technology changes have occurred since the inception of the framework, in addition to a need for improvements in clarity, alignment, and implementation towards consistent use.”
1. "CFS 2.0 serves a wider audience, without taking a 'one-size-fits-all' approach"
3. "Wealth of new resources eases implementation and continuous use of CFS 2.0"
Help Net Security: NIST CSF 2.0 released, to help all organizations, not just those in critical infrastructure — “The CSF 2.0, which supports the implementation of the National Cybersecurity Strategy, has an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector. It also has a new focus on governance, which encompasses how organizations make and carry out informed decisions on cybersecurity strategy.
"The CSF’s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others, such as finance and reputation.
“'Developed by working closely with stakeholders and reflecting the most recent cybersecurity challenges and management practices, this update aims to make the framework even more relevant to a wider swath of users in the United States and abroad,' according to Kevin Stine, chief of NIST’s Applied Cybersecurity Division.”
Last August, I wrote a blog titled What’s New in the NIST Cybersecurity Framework 2.0 Draft? Here’s what I wrote:
"I want to point out that NIST has been doing more international collaboration, and this CSF 2.0 has more of an international focus with global participation. See this July 2023 article on NIST international engagement. Here’s an excerpt:
"'In the update to NIST CSF 2.0, NIST continues to work with the international community. At NIST’s February 2023 virtual workshop on the CSF 2.0 update, participants from Italian and New Zealand governments and Mexican industry spoke on panels. In addition, participants joined from several countries. We are continuing to learn and benefit from international use cases and look forward to hearing even more in the months to come as we release our full draft 2.0!'
"I applaud this international focus on cybersecurity best practices, as our online worlds have never been more interconnected and cooperation and collaboration are vital to defeating cyber crime.”
FURTHER ANALYSIS — PROS AND CONS
I agree with the comments of Bruce Schneier (in his blog Schneier on Security) when he writes: “This is a big deal. The CSF is widely used, and has been in need of an update. And NIST is exactly the sort of respected organization to do this correctly.”
Nevertheless, some of the comments from readers of Schneier's post were not as positive:
@Lurker: “'Can police put a dent in cybercrime ransom figures as they ‘hack back’?'” is the headline over a story in my print edition local MSM, unfortunately paywalled online. The story recounts several recent successful 'busts' of ransomware gangs, but it reads like popping pimples one by one without any visible attempt to get at the underlying disease. (q.v. my comment above re. foundation)
"I’ve now read through NIST CSWP 29, it’s full of C-suite buzzwords, and reads like the rules for a global game of whack-a-mole. The prevention strategy seems to be more of the same, which patently is not working."
@Echo: “I went back over the overarching framework and read it (mostly) from end to end. It’s a good sleeping pill.
“What it’s missing is a sense of context and how different domains like governance and civil society and human rights relate to each other. 'That means it has a whiff of all boxes were ticked and all processes were followed. The patient died but the operation was a success.' There’s structural and institutional security problems not being addressed because everyone is too busy being a tech bro. It’s like NIST is the Master Lock of security.
“Human resources and human rights get like three lines in the entire document. There’s volumes of hard eyerolling behind this. Basically the whole thing looks like an empire building plan for the boys and lawyers.
“The scheme to build a secure wall domestically and lean on foreign countries to pull their socks up isn’t going to work because of these weaknesses. It’s also why the U.S. falls flat on its face even though it wins the war militarily.
“Long term I think the EU is creating the foundations for a better security model. The U.S. tech market will have to respond to this or leave the global stage.”
FINAL THOUGHTS
I applaud NIST for this overall effort, and think the CSF 2.0 should be required reading for everyone who is serious about cybersecurity in their enterprise or industry role.
Is there further to go? Absolutely — especially in our new GenAI world with nation-states sponsoring cyber attacks globally.
Nevertheless, the federal government is mandating adoption, and most state and local governments and the private sector have followed CSF in the past and will also follow CSF 2.0 going forward.
My advice: All aboard!
You can read more details here, at the NIST CSF 2.0 portal.
