NIST Cybersecurity Framework 2.0

Earlier this year, the National Institutes for Standards and Technology released the much anticipated version 2.0 of their internationally popular Cybersecurity Framework (or “CSF”). The CSF is popular for a reason: it provides outcomes and security controls for developing your cybersecurity program, it’s incredibly thorough, and it’s free. This week, we’ll take an initial look at CSF 2.0’s core document to give you and your team a sense of what it does.

NIST CSF 2.0 does not provide a one-size-fits-all security model, but does aim to help everyone. It can be tailored for organizations of all sizes and all sectors—both for-profit and nonprofit—to help reduce and manage cybersecurity risk. The CSF broadly describes desired outcomes that are mostly universally applicable, and then maps those outcomes down to specific security controls.

The CSF wants organizations to consider cyber-risk in the context of their specific goals and needs. However, it is descriptive rather than prescriptive. The CSF starts with the “core,” which can help organizations understand what they should aspire to. It is then supported by a gigantic suite of online resources freely available to help you figure out how to achieve success. To this extent, it readily pairs with other resources such as security practice models to help your team better manage cyber-risk.

Within the core are six functions: identify, protect, detect, respond, and recover—all familiar from the first version of CSF—and now adding govern. The core doesn’t specify the sequence, priority, or importance of anyone function, so navigating that still requires you to evaluate your organization’s own goals and to rely on other resources like the Cyber Defense Matrix (CDM). Each function has a core pattern:

• Govern – Understand your organization’s context and set risk management expectations and strategy; Write policy

• Identify – Understand the organization’s assets, suppliers, and cyber-related risks; Create inventories and assess risk

• Protect – Safeguard assets to lower the likelihood and/or impact of cybersecurity events; Block, log, and reduce risk

• Detect – Detect and analyze attacks and compromises in order to support incident response and recovery actions; Detect attacks

• Respond – Contain and mitigate the effects of cybersecurity incidents; Stop attacks

• Recover – Restore assets and operations impacted by cyber-attacks to a functional and more secure baseline; return to normal.

While it’s clear from the Cyber Defense Matrix and even the CSF’s own verbiage about these functions that there are at least some strict dependencies between functions (Respond explicitly depends on Detect, for example), the CSF visualizes these functions as a wheel: All functions relate to each other and form a cycle of activities with Govern at the center. Govern informs the implementation of the other five functions and forms a cross-cutting line of effort.

Of the six functions, govern, identify, protect, and detect are all continuous functions, which should happen within a feedback loop of communication with your teams. These are also structural functions that directly apply to the engineering and configuration of your systems.

The last two functions are on-demand and manage situations: respond and recover should be prepared at all times but only active when an incident occurs.

These functions are then broken down into categories (broad outcomes) and subcategories (technical outcomes and management activities), that begin to move you from broad descriptions of activities into achievable goals that can be mapped to controls.

Supporting the map from function to outcomes and activities, are profiles and maturity tiers, which can be used during gap analysis to develop current and desired states and can be compared with communities of similar organizations. We’ll talk about profiles and tiers in a future article.