The National Institute of Standards and Technology (NIST) has released the latest iteration of its renowned Cybersecurity Framework (CSF), designed to help organizations mitigate cybersecurity risk.
The new CIST CSF 2.0 is aimed at organizations of all sizes in all sectors.
What’s new in the NIST CSF 2.0?
NIST initially released the CSF in 2014 to help critical infrastructure owners address and mitigate cybersecurity risks. The new version of the CSF has a broader scope and applies to companies across sectors.
The most notable difference between iteration 1.0 and 2.0 is the introduction of a new key function: Govern. This makes the functions: Identify, Protect, Detect, Respond, Recover, and Govern. Each core function is further broken down into categories and subcategories that guide implementation.
The functions shouldn’t be used in isolation but as a cycle of continuous improvement, aimed at helping organizations discover and manage cybersecurity risk both internally and across the supply chain.
Here is what NIST says about each function:
- Identify: An understanding of the organization’s assets, suppliers, and related cybersecurity risks enables the organization to prioritize its efforts consistent with its risk management strategy and the mission needs identified.
- Protect: Once assets and risks are identified and prioritized, this supports the ability to secure assets to prevent or lower the likelihood and impact of adverse cybersecurity events. Outcomes covered by this function include identity management, authentication, and access control; awareness and training; data security; platform security and the resilience of technology infrastructure.
- Detect: Enables the timely discovery and analysis of anomalies, indicators of compromise, and other potentially adverse events that may indicate that cybersecurity attacks and incidents are occurring. This function supports successful incident response and recovery activities.
- Respond: Supports the ability to contain the effects of cybersecurity incidents. Outcomes within this function cover incident management, analysis, mitigation, reporting, and communication.
- Recover: Supports the timely restoration of normal operations to reduce the effects of cybersecurity incidents and enable appropriate communication during recovery efforts.
- Govern: Provides outcomes to inform what an organization may do to achieve and prioritize the outcomes of the other five functions in the context of its mission and stakeholder expectations. Governance activities are critical for incorporating cybersecurity into an organization’s broader enterprise risk management (ERM) strategy. They require an understanding of organizational context; the establishment of cybersecurity strategy and cybersecurity supply chain risk management; roles, responsibilities, and authorities; policy; and the oversight of cybersecurity strategy.
Alongside its core guidance, NIST has also released a range of resources and supporting documentation to help users get the most out of the framework, including a searchable catalog and quick-start guide.
Recognizing the importance of interoperability with its other standards, the NIST CSF 2.0 also references frameworks like the NIST Privacy Framework and AI Framework.
How to adopt NIST CSF 2.0
Adopting the NIST CSF 2.0 is a sensible idea for organizations of all sizes. This flexible framework is a cost-effective way to enhance your organization’s cybersecurity posture and works to improve the C-suite’s understanding of the importance of cybersecurity risk management.
While the framework is designed to be understood by non-technical audiences, it is a robust piece of documentation and holistic implementation will require time and investment.
The best way to start is through quick-win, high-value implementations that meet several of the key functions’ requirements at once.
Here is how data loss prevention (DLP) achieves this across the CSF lifecycle:
- Identify: Through automation and natural language processing (NLP), next-generation DLP solutions automatically identify, classify, and log sensitive data within the organization’s infrastructure, bringing visibility to potential vulnerabilities and risks. Look for a solution that extends DLP to cloud applications like Slack and Microsoft Teams, where much of enterprise information lives today.
- Protect: DLP solutions use automation to protect sensitive data from exposure and theft in real-time. Leading solutions are contextually aware of user roles, permissions, and log-in factors, bringing next-level identity and access management to your data. To satisfy the CSF’s training category, choose a solution that uses in-built training mechanisms like nudges to educate users on secure data sharing practices.
- Detect: DLP solutions monitor sensitive data and user behavior in real-time to discover potentially adverse events.
- Respond: DLP monitoring capabilities should combine with automated incident response features. Next-generation DLP can automatically block users’ actions if they violate an organizations policies. This could mean redacting the sensitive data, deleting files, or alerting the security team of actions that need further investigation. It all depends on contextual factors surrounding the incident. To mitigate the potential for excess noise and false alerts, look for a solution that leverages NLP, which offers higher accuracy compared to traditional DLP tools.
- Recover: Best-in-class DLP tools automatically log all event data for audit and reporting purposes, which streamlinines the process of documenting thwarted incidents for compliance.
- Govern: To be effective, DLP solutions require organizations to have an in-depth understanding of their legal, regulatory, and contractual requirements regarding cybersecurity and data privacy. Solutions like Polymer DLP have pre-built policy templates for frameworks like HIPAA and the CCPA out of the box, which accelerates installation and data governance time-to-value.
As you look to leverage the NIST CSF to enhance cybersecurity outcomes, DLP is one of the best mechanism to kickstart implementation while dramatically improving your cybersecurity posture.
Begin your NIST CSF journey today by discovering how much sensitive data is exposed in your cloud environments. Request a free risk scan today.