NIST's Cybersecurity Framework 2.0 Was Officially Released. Here's What You Should Know

On February 26th, the National Institute of Standards and Technology (NIST) published its Cybersecurity Framework 2.0 (CSF), which, in a similar fashion to its more widely popularized AI Risk Management Framework, seeks to help various kinds of actors manage and address cybersecurity risks appropriately.

The CSF is designed to be inherently flexible and applicable to any organization regardless of its cybersecurity maturity level, indicating that the application of the framework will differ on a case-by-case basis. However, the framework is not prescriptive by nature—concrete guidance on how to achieve desirable cybersecurity objectives is supplementary, and can be found in the variety of online resources available through NIST’s CSF website. For example, Quick Start Guides (QSGs) are one such resource, and while they are intentionally designed for certain audience profiles, they can offer tangible guidance on the “first steps” required to achieve desired cybersecurity outcomes. Additional available resources also include informative references—the “how to” required to achieve CSF outcomes—and implementation examples—specific examples of how CSF outcomes might be achieved across different domains or sectors.

More broadly, the overall purpose of the CSF is to help organizations identify ideal cybersecurity outcomes while also enhancing their ability to understand, assess, prioritize, and communicate cybersecurity risks effectively and responsibly. Still, it’s important to recognize that the CSF alone can’t be leveraged to address all possible cybersecurity risks and should be used in tandem with other verified tools, protocols, frameworks, and best practices.

Furthermore, the CSF is divided into three main sections: 1) the CSF Core, 2) CSF Profiles, and 3) CSF Tiers. The CSF Core establishes a series of functions required to achieve desirable cybersecurity objectives, CSF Profiles describe an organization’s cybersecurity approach, and CSF tiers serve to characterize the intensity of an organization’s cybersecurity approach. We will shortly expand upon all of these sections in more detail, but first, we elaborate on a few components of the cybersecurity risk management process that NIST explicitly aims to enhance via the CSF.

How Can The NIST CSF Help Your Organization?

The CSF specifically aims to enhance three components of the cybersecurity risk management process: 1) cybersecurity risk communication, 2) risk management communication, and 3) integration with different kinds of risk management programs.

In terms of cybersecurity risk communication, CSF implementation can improve how organizations understand and prioritize cybersecurity risks with respect to stakeholder expectations and risk tolerance levels. This can correspondingly result in improvements in how cybersecurity risks are communicated, prioritized, and addressed both at the organization-wide level and throughout various departments.

As for risk management communication, the CSF can play a major role in helping executives align their risk management strategies with concrete risk management steps and procedures taken by managers and practitioners—those who directly work with technology. This enables executives to focus more on addressing high-level cybersecurity risks in terms of organizational objectives, while managers, in response to practitioner’s experience and hands-on engagement with cybersecurity activities, can help executives update and refine organization-wide cybersecurity strategy and protocols. In simple terms, the CSF cultivates a “bidirectional information flow” that promotes better risk management communication throughout various levels of an organization.

Finally, CSF implementation can also streamline the integration of cybersecurity risk management programs with other types of risk management programs—technology risks often overlap. In fact, there are four primary risk-domains for which the CSF can be especially useful:

1. Cybersecurity: the intentionally broad scope of the CSF allows for and encourages integration with other verified and effective cybersecurity risk management and assessments procedures.
2. Privacy: privacy and security go hand-in-hand. The preservation of privacy often depends on whether there are sufficient security measures in place. For example, to address data integrity and privacy risks, robust cybersecurity protocols must be established.
3. Supply chain: technology supply chains are deeply complex and multi-faceted. Leveraging the CSF to communicate and oversee cybersecurity risks with key stakeholders in the supply chain is vital.
4. Emerging technology: new technologies present new risks. Having a framework such as the CSF in place allows organizations to more easily identify potential cybersecurity threats and vulnerabilities that arise due to emerging technologies.

All in all, by implementing the CSF, executives can develop a common language that allows them to integrate their cybersecurity risk management strategy into their larger enterprise risk management (ERM) strategy, culminating in a unified vision of risk management at the enterprise scale.

CSF Core

The CSF Core describes a series of organizational functions necessary to achieving desired cybersecurity outcomes. These functions are not grouped hierarchically, and should be performed simultaneously to ensure that the most prevalent and recent cybersecurity risks are effectively managed, even as they continue to evolve in light of changes to organizational objectives, emerging technologies, and compliance requirements.

The functions prescribed by the CSF Core include governance, identification, protection, detection, response, and recovery, the goals of which, and their corresponding cybersecurity outcomes, are described below:

• Governance: establish an organization-wide cybersecurity risk management strategy. This strategy should address the development of internal cybersecurity policies, clear communication and understanding of the proposed cybersecurity strategy at the organizational level (i.e., roles, responsibilities, authorities, and oversight mechanisms), and a clear path by which to incorporate the strategy into the organization’s overall risk management strategy.
• Identification: comprehend the current array of cybersecurity risks that your organization faces. To accomplish this, organizations must understand how cybersecurity risks apply to their assets and suppliers, ensure that their understanding of risks is reflected in their cybersecurity strategy such that the most prevalent risks are prioritized, and motivate improvements or changes to their cybersecurity strategy by reference to newly identified or changing cybersecurity risks.
• Protection: implement concrete safeguards that address any identified cybersecurity risks in terms of priority. Areas to focus on include but are not limited to securing important assets, lowering the probability of adversarial attacks, leveraging novel opportunities to improve safeguards, promoting cybersecurity best practices such as training and awareness initiatives, the development of resilient tech infrastructure, and robust authentication and access controls.
• Detection: identify and analyze potential cybersecurity risks and vulnerabilities. In this respect, organizations should strive to identify anomalies in cyber activity that indicate a potential threat or vulnerability to their cybersecurity protocols while also promoting the development and establishment of incident response and recovery procedures.
• Response: manage emergent cybersecurity risks in a timely manner to minimize their negative impacts. To do this effectively, organizations must designate definitive incident response and risk mitigation protocols, verify that cybersecurity activities are continuously monitored, analyzed, and reported on, and generate mechanisms by which to easily communicate cybersecurity risks throughout the organization.
• Recovery: quickly repair any damages that arise due to cybersecurity so that normal organizational operations can resume without excessive delay or compromise.

Before moving on to CSF profiles, we note that not every one of the functions described in the CSF core is intended to be performed continuously. The processes of governing, identifying, protecting, and detecting are continuous whereas response and recovery are reactive, conducted in accordance with and in response to novel cybersecurity incidents.

Moreover, each of the CSF core functions is mapped onto several categories, which are further mapped onto subcategories—a discussion of these topics would be exhaustive, so if readers wish to gain a more comprehensive understanding of the CSF Core, we recommend that they review Appendix A of the NIST CSF directly.

CSF Profiles

CSF Profiles aim to address the following question: how prepared is your organization to execute core CSF cybersecurity outcomes in consideration of its mission objectives, stakeholder expectations, threat landscape, and requirements? In this context, the overarching goal of a CSF Profile concerns an organization’s ability to prioritize the most important cybersecurity activities and communicate their significance with key stakeholders.

CSF Profiles are split up in two categories:

1. Current Profile: indicates the current CSF outcomes achieved or in progress, and the process and/or means by which achievement is occurring.
2. Target Profile: indicates the target CSF outcomes and any required changes, updates, or revisions to an organization’s cybersecurity strategy and/or structure as a consequence of these target outcomes.

When developing a CSF Profile, organizations can also draw from NIST’s pre-established community profiles, which can provide an effective starting point—for target profiles—given that they are customized for specific sectors, technologies and threat types. More specifically, however, there are five steps organizations should follow when creating their CSF Profile:

1. Scope: determine the scope of the organizational profile or profiles. High-level profiles and domain-specific ones can be developed for one organization. For instance, an organization could indicate organization-wide cybersecurity objectives while also defining objectives at the scale of individual departments.
2. Information: understand and identify the information that will underlie the organizational profile, such as internal policies, cybersecurity requirements, work roles, and best practices and/or tools.
3. Creation: by reference to the CSF outcomes your organizations has selected, and the vulnerabilities of your current profile, establish the kinds of information you should include in the target profile. This is where leveraging a community profile to inform the target profile can be highly useful.
4. Analysis: understand the discrepancies between your organization’s current and target profile, and create an actionable plan by which to address them.
5. Implementation and updates: once your organization has developed an actionable plan, utilize it to bridge the gaps you’ve identified between your current and target profile.

Much like the functions illustrated in the CSF Core, the process of developing these kinds of profiles will likely be continuous, so key stakeholders within their respective organizations should revisit these steps where relevant and necessary. For instance, a significant change in an organization’s threat landscape may require updates to its target profile.

CSF Tiers

CSF tiers classify current and target profiles. In essence, tiers characterize an organization’s intensity and commitment to cybersecurity governance and risk management, and can also be leveraged to illustrate cybersecurity benchmarks or maturity levels—the higher the tier, the more prevalent cybersecurity risks or requirements are. In other words, how important is cybersecurity to your organization and how prepared are you to address cybersecurity concerns and requirements?

The CSF categorizes four kinds of tiers hierarchically, in terms of cybersecurity governance and risk management, which are expanded upon below:

• Tier 1 (Partial)
  • Governance: no formal risk management strategy is in place.
  • Risk Management: lack of concrete risk management protocols, risk awareness, and communication.
• Tier 2 (Risk-Informed)
  • Governance: a risk management strategy has been developed but not yet approved.
  • Risk Management: some risk management, awareness, and communication protocols are in place, but the organization still lacks a consistent and formalized risk response strategy.
• Tier 3 (Repeatable)
  • Governance: a formal risk management strategy has been established, approved, and implemented as company policy. The strategy is also updated in accordance with relevant changes to factors such as the threat landscape and business requirements.
  • Risk Management: organization-wide risk management, awareness, and communication protocols are in place, which include mechanisms by which to account for changes in the risk profile and consistently monitor and report on risks.
• Tier 4 (Adaptive)
  • Governance: the risk management strategy has evolved into a core tenet of organizational culture, which allows the organization to quickly adapt its strategy in response to changes in business requirements, mission objectives, and risk profiles.
  • Risk Management: the same as Tier 3, but there are additional state-of-the-art mechanisms in place, such as real-time monitoring, that allow the organization to continually adapt and improve their strategy in response to a rapidly evolving technology landscape and increasingly complex threats.

Organizations should view these tiers not as downright replacements for their cybersecurity strategies, but rather, as supplementary tools that they can readily use to enhance their approach and identify potential vulnerabilities and weaknesses in their cybersecurity infrastructure.

Conclusion

As data-driven technologies, including AI, become more widely distributed and integrated, threats to cybersecurity will not only become more sophisticated, but also more widespread—combatting these threats, will, in large part, depend on the ability to address internal weaknesses that emerge due to the same factors. Moreover, seeing as technology risks tend to overlap considerably, organizations that pre-emptively recognize the criticality of robust cybersecurity protocols and infrastructure will incur a substantial advantage over those that do not.

By developing an actionable cybersecurity strategy, even if only at the level of individual departments, cybersecurity-mature organizations will have established measures and protocols that streamline their abilities to account for novel advancements in the threat and technology landscape without compromising compliance with business and regulatory requirements. In the age of digital infrastructure and technology, cybersecurity is poised to become a core tenet of any and all organizations’ ERM.

The term “digital transformation” has become somewhat of a buzz term. Despite this, many still don’t understand the true depth and complexity of the effort required to successfully digitally transform an organization, especially as it concerns the integration of powerful technologies like AI. Training, upskilling, and awareness are fundamental, but such initiatives are likely to be pursued in vain if organizations do not ensure compliance with business and regulatory requirements.

For readers interested in cultivating a deeper understanding of technology risk management and regulation, specifically AI, we invite you to follow Lumenova AI’s blog, where you can keep track of the latest advancements and trends in the policy, responsible, and generative AI landscape.

Finally, Lumenova AI’s responsible AI platform can help organizations identify and manage risks that arise during the development and use stages of the AI lifecycle. To learn more about this opportunity, book a product demo today.