Ten years after its national cybersecurity framework rolled out, the National Institute of Standards and Technology (NIST) released version 2.0, emphasizing governance and supply chain issues for public and private sector entities.
The guidance now outlines “high-level cybersecurity outcomes that can be used by any organization … to better understand, assess, prioritize and communicate its cybersecurity efforts” and adds a sixth core function — “govern” — to the previously stated pillars: “identify,” “protect,” “detect,” “respond,” and “recover.”
In particular, “Govern” focuses on an organization’s “cybersecurity risk management strategy, expectations and policy, and how they are communicated and monitored,” addressing the implementation and oversight of a cybersecurity strategy.
The spotlight on supply chain risks covers how various technologies rely on a complex ecosystem for outsourcing, involving geographically diverse routes for both private and public sector organizations offering multiple services. NIST now points to Cybersecurity Supply Chain Risk Management (C-SCRM) as a systemic process to manage exposure to cybersecurity risks by developing appropriate “strategies, policies, processes and procedures.”
NIST released the CSF’s Quick Start Guides (QSG) with examples so that entities could “view and download notional examples of concise, action-oriented steps to help achieve the outcomes of the CSF 2.0 subcategories in addition to the guidance provided in the informative references.”
