The National Institute of Standards and Technology (NIST)’s Cybersecurity Framework (CSF) has provided a basis for organisations to achieve a more robust security posture since 2014.
With NIST recently releasing an updated draft version of the framework, we outline the main proposed changes.
What is the NIST Cybersecurity Framework?
The NIST CSF is a set of guidelines and best practices designed to help U.S. public and private sector organisations to develop a robust security posture. The framework provides recommendations and standards to enable companies to become better able to act on and defend against attacks, with guidance on how to respond, prevent and recover from cyber incidents.
The NIST CSF is different to other NIST frameworks because it is focused on cybersecurity risk analysis and risk management with five core security controls: identify, protect, detect, respond and recover.
What is changing?
In August 2024, NIST released a new draft version of the CSF 2.0. The aim behind the update is to broaden the scope of the framework and offer more guidance on implementation. The new version also has a greater focus on supply chain risk management.
A critical change to the updated CSF is the addition of a sixth Function to the original five it set out for an effective cybersecurity program: Govern.
The CSF Framework Functions
The Functions are the backbone of the NIST CSF Framework:
1. Identify: This Function helps organisations to understand how to manage cybersecurity risk to their systems, people, assets, data and capabilities. It should include a program of security assessments designed to identify threats and vulnerabilities and respond to organizational and supply chain
2. Protect: Covering the outlining of appropriate safeguards for delivering core infrastructure services, this Function supports the ability to limit or contain the impact of a potential cybersecurity event. This should include managing protective technology to ensure that systems and assets are secure and resilient.
3. Detect: This Function defines the appropriate activities to identify the occurrence of a cybersecurity event to ensure the timely discovery of cybersecurity events, for example, maintaining detection processes in order to have provide awareness of anomalous events.
4. Respond: This Function includes appropriate activities for acting in response a detected cybersecurity incident to help contain the impact of a potential cybersecurity incident. This includes managing communications during and after an event with stakeholders, law enforcement and external stakeholders.
5. Recover: This Function identifies appropriate activities to maintain plans for resilience as well as restoring capabilities or services impaired because of a cybersecurity incident. This includes implementing recovery planning processes and procedures to restore systems and/or assets affected by security
6. Govern: This new Function aims to provide guidance on how businesses make and implement decisions around cybersecurity. It will cut across the other Functions to highlight how critical cybersecurity governance is to managing and reducing cybersecurity risk. Cybersecurity governance in this context may include “determination of priorities and risk tolerances of the organization, customers, and larger society; assessment of cybersecurity risks and impacts; establishment of cybersecurity policies and procedures; and understanding of cybersecurity roles and responsibilities.”
The launch of the draft was followed by requests for online feedback, as well as opinions drawn from working parties and workshops. The consultation period for comments on the draft has now ended, with the final CSF 2.0 due to be published in early 2024.
How Kroll can help
The proposed changes to the NIST CSF highlight the importance of ensuring a consistent approach to security. All of its six Functions are addressed by Kroll, from Kroll Responder, our award-winning Managed Detection & Response (MDR) solution, enabling organisations to more easily and effectively identify, manage and mitigate cyber threats, to our status as the world’s number one incident response provider, responding to over 3,000 security events every year.
Our unique frontline experience means that companies from all over the world also count on us for proactive cybersecurity planning and mitigation strategies. The new NIST CSF Govern Function is supported through our security advisory services, which enable organisations to manage cyber risk and information security governance issues. This is through our virtual CISO (vCISO), data protection officer (DPO) consultancy and board advisory for cyber services and other types of specialist support.
Kroll has identified 10 essential security controls that every organisation can implement to help enhance their cyber resilience. Developed by Kroll’s security experts and drawing on insights from over 3,000 security investigations a year, this list of essential controls can help to significantly improve your security posture. For more details, including hands-on support, Kroll’s global team of elite experts are here to help with comprehensive cyber risk solutions available worldwide.