The National Institute of Standards and Technology (NIST) Cybersecurity Framework offers a comprehensive set of guidelines designed to address organisational security risks. Although voluntary, the framework serves as a powerful guideline for crafting robust systems to mitigate digital security threats and safeguard network integrity and data assets. Moreover, a new version of the framework, NIST 2.0, was recently released. What can the framework offer? And what are the main differences between the new version and the previous version?
Understanding the NIST Cybersecurity Framework: A Global Standard for Digital Security
The NIST Cybersecurity Framework, originating from the United States and released on February 12, 2014, transcends geographical boundaries due to its universal applicability. Continuously evolving, it thrives on feedback from diverse stakeholders, including businesses, governmental bodies, and academia, ensuring its ongoing refinement and relevance.
The framework is an invaluable prevention tool, and prevention is key to reducing the attack surface of your business, ultimately saving you valuable resources and money by thwarting potential attacks before they occur. While it's understandable to feel reluctant about adhering to yet another set of measures and rules – especially voluntary ones – it's essential to consider their long-term advantages.
Introducing NIST 2.0: Enhanced Governance and Supply Chain Risk Management
In 2024, the new version of the NIST framework was introduced. A key addition in version 2.0 is the new "Govern" function, which emphasises the importance of governance in cybersecurity, underscoring that it is a critical enterprise risk on par with finance and reputation.
This function, which consolidates previously scattered roles and responsibilities, simplifies the framework's structure, bringing the total number of core functions to six: Identify, Protect, Detect, Respond, Recover, and now Govern. Notably, the Respond and Recover functions receive heightened attention, addressing previous gaps. Furthermore, with the rise in supply chain attacks since the framework's initial launch in 2014, NIST has placed a stronger focus on Cybersecurity Supply Chain Risk Management (SCRM) in this latest version.
The official e-book of the NIST Cybersecurity Framework 2.0 explains the six core functions of the framework:
- Govern = The organisation’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.
- Identify = The organisation’s current cybersecurity risks are understood.
- Protect = Safeguards to manage the organisation’s cybersecurity risks are used.
- Detect = Possible cybersecurity attacks and compromises are found and analysed
- Respond = Actions regarding a detected cybersecurity incident are taken.
- Recover = Assets and operations affected by a cybersecurity incident are restored.
Source: NIST E-book
Practical Implementation: Tailoring NIST Guidelines to Your Business Needs
The optimal starting point is the webpage dedicated to informative references. It's essential to recognise that neither you nor your business are obligated to adhere to every reference. Certain measures may not apply to your business, or you may already have effective protocols in place. Simply select what aligns with your needs and disregard the rest.
When applying the informative references, you can assess to which framework implementation tier you belong based on the degree to which you follow the individual principles and view possible cybersecurity risks. You should also define your framework profile. That shows you where your gaps are and allows you to create a prioritised implementation plan.
You can also choose to follow the NIST Framework Roadmap, which presents 14 categories to which you should devote your attention:
- Confidence Mechanisms
- Cyber-Attack Lifecycle
- Cybersecurity Workforce
- Cyber Supply Chain Risk Management
- Federal Agency Cybersecurity Alignment
- Governance and Enterprise Risk Management
- Identity Management
- International Aspects, Impacts, and Alignment
- Measuring Cybersecurity
- Privacy Engineering
- Referencing Techniques
- Small Business Awareness and Resources
- Internet of Things (IoT)
- Secure Software Development
Maybe you think that your business is too small to benefit from such a large system of guidelines and rules. But even if you are the smallest business, you can benefit from compliance with NIST. As mentioned earlier, by applying preventive measures, you can save yourself several times higher expenses in the future by preventing an attack before it has a chance to cause damage. For small businesses, NIST prepared a special webpage explaining what to do, and how, when starting out with it.
Still not sure where to start?
For organisations or individuals who find the NIST Cybersecurity Framework (CSF) too complex to implement, the Centre for Internet Security (CIS) Controls might be a more accessible starting point. The CIS Controls are a set of prioritised actions that provide specific and practical guidance on how to improve cybersecurity, making them more instructional and easier to follow for those who are new to cybersecurity frameworks. These controls offer a step-by-step approach to cybersecurity that can serve as a foundation before transitioning to the more comprehensive NIST CSF.
One of the framework's greatest advantages lies in its adaptability to suit the unique needs and methodologies of any company. Its recommendations serve to complement your existing digital security program and risk management strategies, pinpointing areas for enhancement, or suggesting entirely new steps where necessary. Furthermore, it serves as a valuable tool for facilitating discussions with senior management regarding digital security and associated risks.
Cyber compliance with ESET
ESET´s solutions address industry frameworks, giving you confidence in your business's secure, efficient, and compliant operations. Explore the regulations that ESET solutions can help you comply with.
LEARN MORE
