Guide to Recent Updates in the NIST Cybersecurity Framework

A Guide to the Recent Updates in the NIST Cybersecurity Framework

By: Beaconer, Mar 11, 2022

Default Image

The NIST cybersecurity framework serves as an effective instrument for structuring and enhancing cybersecurity initiative. Comprising guidelines and best practices, it assists organizations in fortifying their cybersecurity stance. The framework offers a set of recommendations and standards that empower organizations to enhance their readiness for identifying and thwarting cyber-attacks, along with providing directives on responding to, preventing, and recovering from cyber incidents.

Content

Formulated by the National Institute of Standards and Technology (NIST), this framework addresses the absence of standards in cybersecurity by presenting a consistent set of regulations, guidelines, and standards applicable across various industries. Widely acknowledged as the benchmark for establishing a cybersecurity program, the NIST Cybersecurity Framework (NIST CSF) is renowned for its comprehensive approach. Whether initiating a cybersecurity program or managing a well-established one, the framework proves valuable, serving as a top-level security management tool for evaluating cybersecurity risks throughout the organization.

NIST Cybersecurity Framework (CSF) Version 2.0

 

The NIST Cybersecurity Framework (CSF) had five functions in its most recent version, version 1.1, which was published in April 2018 and represented important facets of cybersecurity management. Below is a thorough explanation of every function:

1) Identify

This task revolves around comprehending and handling the potential cybersecurity risks posed to systems, assets, data, and capabilities. It encompasses various activities like overseeing assets, understanding the business environment, implementing governance, conducting risk assessments, and devising strategies for risk management, Asset management, governance, and business environment. Furthermore, specific measures must be taken to fortify cybersecurity:

  1. Implement security policies for access control and data protection within vendor onboarding agreements.
  2. Arrange supply chain vendors based on their potential security impact.
  3. Establish a consistent level of transparency for security risks during the entire lifespan of vendor relationships, as outlined in onboarding contracts.
  4. Define your risk threshold for all assets. Identify all assets in your ecosystem through the process of digital foot printing.

2) Protect

This function is dedicated to implementing the necessary measures to guarantee the secure delivery of critical infrastructure services. This involves various tasks, including regulating access, promoting
awareness and training, ensuring data security, implementing processes and procedures for information protection, conducting maintenance activities, and utilizing protective technology. For the same: –

  1. Deploy an ongoing monitoring system that provides recommended solutions for identified risks.
  2. Offer in-person training sessions or webinars to instruct employees on recognizing phishing and social engineering attacks.
  3. Enforce proper security practices among all remote workers.
  4. Perform risk assessments throughout the various stages of system development life cycles.
  5. Assess the risk exposure within your supply chain through security evaluations.
  6. Verify compliance of all third-party vendors with regulatory standards like ISO 27001, PCI DSS and HIPAA.

Explore Our Third-Party Risk Assessment: Book Free Demo!

Book a demo

3) Detect

This Function is centered around pinpointing cybersecurity events. This encompasses tasks like detecting anomalies and events, continuously monitoring security, and implementing processes for timely detection.
For the same: –

  1. Detect and resolve vulnerabilities that might be exploited for injecting cyber threats.
  2. Identify and avert data leaks that disclose confidential information.
  3. Scan open ports for any signs of suspicious activity.
  4. Ensure the security of all open ports.

4) Respond

This function is focused on addressing identified cybersecurity incidents. This entails various tasks such as planning responses, managing communications, conducting analysis, implementing mitigation
strategies, and making improvements based on the incident response process. For the same: –

  1. Ensure incident response and security plans are regularly updated.
  2. Periodically assess the effectiveness of incident response plans through red/blue team penetration testing.
  3. Create a dependable communication channel for cyber incident updates to keep stakeholders and regulatory bodies informed.
  4. Segment cyber threats to impede lateral movement after a network compromise.

5) Recover

This function is dedicated to the restoration process following a cybersecurity incident. This encompasses tasks such as planning for recovery, making improvements based on lessons learned, and managing
communications throughout the recovery phase. For the same: –

  1. Give priority to addressing critical cyber threats and handle them promptly.
  2. Keep track of the advancement in addressing all security risk remediation initiatives.
  3. Verify the effectiveness of remediation actions through security ratings

6) Govern

The “Govern” function is aimed at creating and sustaining a governance structure and management approach to enhance the effectiveness, efficiency, and continuous improvement of an organization’s cybersecurity risk management. It serves as the cornerstone for implementing other functions within the framework, ensuring that cybersecurity initiatives align with business strategies, adhere to regulations, and are adequately supported by
resources and leadership.

Updates in NIST Cybersecurity Framework (CSF) Version 2.0

 

The NIST Cybersecurity Framework (CSF) version 2.0 introduces several significant updates compared to the previous versions, reflecting the evolving cybersecurity landscape and the need to address current and future challenges. Some of the key changes in CSF 2.0 include:

1) Expanded Scope

The framework’s scope has been broadened to address emerging technologies such as cloud, mobile, and artificial intelligence.

NIST Cybersecurity Framework

2) Addition of  “Govern” Function

A significant modification in CSF 2.0 is the inclusion of a new function termed “Govern,” highlighting the crucial role of top-down governance and the integration of cybersecurity into an organization’s strategic planning. This underscores the importance of a holistic approach to cybersecurity that aligns with overall organizational governance and strategic objectives.

3) Integration with Other Frameworks

CSF 2.0 introduces fresh guidance on effectively incorporating the Cybersecurity Framework with other frameworks, such as the Privacy Framework and Enterprise Risk Management guidance. This guidance aims to comprehensively tackle technology risks and foster a synergistic approach across various organizational frameworks.

4) Enhanced Implementation Guidance

The framework now provides enhanced and extended guidance on the implementation of CSF, particularly in the realm of creating profiles. This aims to assist organizations in evaluating their preparedness to effectively combat cybersecurity threats and.

Elevate Your Third-Party Risk Strategy: Secure Your Free Demo Now!

Book a demo

5) Stakeholder Engagement and Feedback

NIST has actively sought feedback from stakeholders through various means, including public webinars, workshops, and requests for information, to ensure that the framework reflects leading practices and guidance resources.

Category Subcategory Implementation Examples Informative References
Cybersecurity Supply Chain Risk Management (GV.SC): Cyber supply chain risk management processes are
identified, established, managed, monitored, and improved by Organizational Stakeholders (formerly ID.SC)
GV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders (formerly ID.SC-01) Ex1: Establish a strategy that expresses the objectives of the cybersecurity supply chain risk management program

Ex2: Develop the cybersecurity supply chain risk management program, including a plan (with milestones), policies, and procedures that guide implementation and improvement of the program, and share the
policies and procedures with the organizational stakeholders

Ex3: Develop and implement program processes based on the strategy, objectives, policies, and procedures that are agreed upon and performed by the organizational stakeholders

Ex4: Establish a cross-organizational mechanism that ensures alignment between functions that contribute to cybersecurity supply chain risk management, such as cybersecurity, IT, legal, human resources, and
engineering

GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally (formerly ID.AM-06) Ex1: Identify one or more specific roles or positions that will be responsible and accountable for planning, resourcing, and executing cybersecurity supply chain risk management activities

Ex2: Document cybersecurity supply chain risk management roles and responsibilities in policy

Ex3: Create responsibility matrixes to document who will be responsible and accountable for cybersecurity supply chain risk management activities and how those teams and individuals will be consulted and
informed

Ex4: Include cybersecurity supply chain risk management responsibilities and performance requirements in personnel descriptions to ensure clarity and improve accountability

Ex5: Document performance goals for personnel with cybersecurity risk management-specific responsibilities, and periodically measure them to demonstrate and improve performance

Ex6: Develop roles and responsibilities for suppliers, customers, and business partners to address shared responsibilities for applicable cybersecurity risks, and integrate them into organizational policies and applicable third-party agreements

Category Subcategory Implementation Examples Informative References
Ex7: Internally communicate cybersecurity supply chain risk management roles and responsibilities for third parties

Ex8: Establish rules and protocols for information sharing and reporting processes between the organization and its suppliers

GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes (formerly ID.SC-02) Ex1: Identify areas of alignment and overlap with cybersecurity and enterprise risk management

Ex2: Establish integrated control sets for cybersecurity risk management and cybersecurity supply chain risk management

Ex3: Integrate cybersecurity supply chain risk management into improvement processes

Ex4: Escalate material cybersecurity risks in supply chains to senior management, and address them at the enterprise risk management level

GV.SC-04: Suppliers are known and prioritized by criticality Ex1: Develop criteria for supplier criticality based on, for example, the sensitivity of data processed or possessed by suppliers, the degree of access to the organization’s systems, and the importance of
the products or services to the organization’s missionEx2: Keep a record of all suppliers, and prioritize suppliers based on the criticality criteria
GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third
parties (formerly ID.SC-03)
Ex1: Establish security requirements for suppliers, products, and services commensurate with their criticality level and potential impact if compromised

Ex2: Include all cybersecurity and supply chain requirements that third parties must follow and how compliance with the requirements may be verified in default contractual language

Ex3: Define the rules and protocols for information sharing between the organization and its suppliers and sub-tier suppliers in contracts

Ex4: Manage risk by including security requirements in contracts based on their criticality and potential impact if compromised

Category Subcategory Implementation Examples Informative References
Ex5: Define security requirements in service-level agreements (SLAs) for monitoring suppliers for acceptable security performance throughout the supplier relationship lifecycle

Ex6: Contractually require suppliers to disclose cybersecurity features, functions, and vulnerabilities of their products and services for the life of the product or the term of service

Ex7: Contractually require suppliers to provide and maintain a current component inventory (e.g., software or hardware bill of materials) for critical products

Ex8: Contractually require suppliers to vet their employees and guard against insider threats

Ex9: Contractually require suppliers to provide evidence of performing acceptable security practices through, for example, self-attestation, conformance to known standards, certifications, or inspections

Ex10: Specify in contracts the rights and responsibilities of the organization, its suppliers, and applicable lower-tier suppliers and supply chains, with respect to potential cybersecurity risks

GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships Ex1: Perform thorough due diligence on prospective suppliers that is consistent with procurement planning and commensurate with the level of risk, criticality, and complexity of each supplier relationship

Ex2: Assess the suitability of the technology and cybersecurity capabilities and the risk management practices of prospective suppliers

Ex3: Conduct supplier risk assessments against business and applicable cybersecurity requirements, including lower-tier suppliers and the supply chain for critical suppliers

Ex4: Assess the authenticity, integrity, and security of critical products prior to acquisition and use

GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are identified, recorded, prioritized, assessed, responded Ex1: Adjust assessment formats and frequencies based on the third party’s reputation and the criticality of the products or services they provide
Category Subcategory Implementation Examples Informative References
to, and monitored over the course of the relationship (formerly ID.SC-02, ID.SC-04) Ex2: Evaluate third parties’ evidence of compliance with contractual cybersecurity requirements, such as self-attestations, warranties, certifications, and other artifacts

Ex3: Monitor critical suppliers to ensure that they are fulfilling their security obligations throughout the supplier relationship lifecycle using a variety of methods and techniques, such as inspections,
audits, tests, or other forms of evaluation

Ex4: Monitor critical suppliers, services, and products for changes to their risk profiles, and reevaluate supplier criticality and risk impact accordingly

Ex5: Plan for unexpected supplier and supply chain-related interruptions to ensure business continuity

GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities (formerly ID.SC-05) Ex1: Define and use rules and protocols for reporting incident response and recovery activities and the status between the organization and its suppliers

Ex2: Identify and document the roles and responsibilities of the organization and its suppliers for incident response

Ex3: Include critical suppliers in incident response exercises and simulations

Ex4: Define and coordinate crisis communication methods and protocols between the organization and its critical suppliers

Ex5: Conduct collaborative lessons learned sessions with critical suppliers

GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life
cycle
Ex1: Policies and procedures require provenance records for all acquired technology products and services

Ex2: Periodically provide risk reporting to leaders about how acquired components are proven to be untampered and authentic.

Ex3: Communicate regularly among cybersecurity risk managers and operations personnel about the need to acquire software patches, updates, and upgrades only from authenticated and trustworthy software
providers

Ex4: Review policies to ensure that they require approved supplier personnel to perform maintenance on supplier products

Category Subcategory Implementation Examples Informative References
Ex5: Policies and procedure require checking upgrades to critical hardware for unauthorized changes
GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement Ex1: Establish processes for terminating critical relationships under both normal and adverse circumstances

Ex2: Define and implement plans for component end-of-life maintenance support and obsolescence

Ex3: Verify that supplier access to organization resources is deactivated promptly when it is no longer needed

Ex4: Verify that assets containing the organization’s data are returned or properly disposed of in a timely, controlled, and safe manner

Ex5: Develop and execute a plan for terminating or transitioning supplier relationships that takes supply chain security risk and resiliency into account

Ex6: Mitigate risks to data and systems created by supplier termination

Ex7: Manage data leakage risks associated with supplier termination

Function, category & Subcategory 13 Best Practices
(GV) Establish and monitor the organization’s cybersecurity risk management strategy, expectations, and policy
Cybersecurity Supply Chain Risk Management (GV.SC): Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizationa
GV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders

GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally

GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes

GV.SC-04: Suppliers are known and prioritized by criticality

Build a comprehensive third-party risk management (TPRM) or cybersecurity supply chain risk management program in line with your broader information security and governance, enterprise risk management and compliance programs

Seek out experts to collaborate with your team on:

  • Defining and implementing TPRM and C-SCRM processes and solutions
  • Selecting risk assessment questionnaires and frameworks
  • Optimizing your program to address the entire third- party risk lifecycle – from sourcing and due diligence to termination and offboarding according to your organization’s risk appetite

As part of this process, you should define:

  • Clear roles and responsibilities (e.g., RACI)
  • Third-party inventories
  • Risk scoring and thresholds based on your organization’s risk tolerance.

Start by quantifying inherent risks for all thirdparties Criteria used to calculate inherent risk for third-party prioritization includes:

  • Type of content required to validate controls
  • Criticality to business performance and operations
  • Location(s) and related legal or regulatory considerations
  • Level of reliance on fourth parties
  • Exposure to operational or client-facing processes
  • Interaction with protected data
  • Financial status and health
  • Reputation

Function, Category & Subcategory 13 Best Practices
GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties Centralize the distribution, discussion, retention and review of vendor contracts to automate the contract lifecycle and ensure key clauses are enforced. Key capabilities include:

  • Centralized tracking of all contracts and contract attributes such as type, key dates, value, reminders and status- with customized, role-based views
  • Workflow capabilities (based on user or contract type) to automate the contract management lifecycle
  • Automated reminders and overdue notices to streamline contract reviews
  • Centralized contract discussion and comment tracking
  • Contract and document storage with role-based permissions and audit trails of all access
  • Version control tracking that supports offline contract and document edits
  • Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access

With this capability, you can ensure that clear responsibilities and right-to-audit clauses are articulated in the vendor contract, and SLAs tracked and managed accordingly

GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships Centralize and automate the distribution, comparison and management of requests for proposals (RFPs) and requests for information (RFIs) in a single solution that enables comparison on key attributes.

As all service providers are being centralized and reviewed, teams should create comprehensive vendor profiles that contain insight into a vendor’s demographic information, 4th-party technologies, ESG scores, recent business and reputational insights, data breach history, and recent financial performance.

This level of due diligence creates greater context for making vendor selection decisions

Function, Category & Subcategory 14 Best Practices
GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are identified, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship Look for solutions that feature a large library of pre-built templates for third-party risk assessments. Assessments should be conducted at the time of onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually) depending on material changes.

Assessments should be managed centrally and be backed by workflow, task management and automated evidence review capabilities to ensure that your team has visibility into third risks throughout the relationshiplifecycle.

Importantly, a TPRM solution should include built-in remediation recommendations based on risk assessment results to ensure that your third parties address risks in a timely and satisfactory manner and can provide the appropriate evidence to auditors.

As part of this process, continuously track and analyze external threats to third parties. Monitor the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

All monitoring data should be correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation and response initiatives.

Be sure to incorporate third-party operational, reputational and financial data to add context to cyber findings and measure the impact of incidents over time.

GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities As part of your broader incident management strategy ensure that your third-party incident response program enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor security incidents. Look for managed services where dedicated experts centrally manage your vendors; conduct proactive event risk assessments; score identified risks; correlate risks with continuous cyber monitoring intelligence; and issue remediation guidance. Managed services can greatly reduce the time required to identify vendors impacted by a cybersecurity incident and ensure that remediations are in place.

(continued on next page)

Function, Category & Subcategory 15 Best Practices
(continued from previous page)

Key capabilities in a third-party incident response service include:

  • Continuously updated and customizable event and incident management questionnaires
  • Real-time questionnaire completion progress tracking
  • Defined risk owners with automated chasing reminders to keep surveys on schedule
  • Proactive vendor reporting
  • Consolidated views of risk ratings, counts, scores and flagged responses for each vendor
  • Workflow rules to trigger automated playbooks to act on risks according to their potential impact on the business
  • Built-in reporting templates for internal and external stakeholders
  • Guidance from built-in remediation recommendations to reduce risk
  • Data and relationship mapping to identify relationships between your organization and third, fourth or Nth parties to visualize information paths and reveal at-riskdata

Also, consider leveraging databases that contain several years of data breach history for thousands of companies around the world -including types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications

Armed with these insights, your team can better understand the scope and impact of the incident; what data was involved; whether the third party’s operations were impacted; and when remediations have been completed – all by leveraging experts

GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle Please see GV.SC-01 and GV.SC-02

Function, Category & Subcategory 16 Best Practices
GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement Building on the best practices recommended for GV.SC-05, automate contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure.

  • Schedule tasks to review contracts to ensure all obligations have been met
  • Issue contract assessments to evaluate status
  • Leverage surveys and workflows report on system access, data destruction, access management, compliance with all relevant laws, final payments, etc.
  • Centrally store and manage documents and certifications, such as NDAs, SLAS, SOWs and contracts
  • Analyze documents to confirm key criteria are addressed
  • Take actionable steps to reduce vendor risk with remediation recommendations and guidance
  • Visualize and address compliance requirements by automatically mapping assessment results to regulations and frameworks
IDENTIFY (ID): Help determine the current cybersecurity risk to the organization
Asset Management (ID.AM): Assets (e.g., data, hardware software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy
ID.AM-03: Representations of the organization’s authorized network communication and internal and external network data flows are maintained To address this Subcategory, it’s important to identify fourth-party and Nth-party subcontracting relationships in your supplier ecosystem. Conduct a questionnaire-based assessment of your suppliers or passively scan the supplier’s public-facing infrastructure. The resulting relationship map should depict extended dependencies and information flows that could expose your organization to risk.

Function, Category & Subcategory 17 Best Practices
ID.AM-04: Inventories of services provided by suppliers are maintained Build a centralized service provider inventory by importing vendors via a spreadsheet template or through an API connection to an existing procurement solution. Teams throughout the enterprise should be able to populate key supplier details with a centralized intake form and associated work flow tasks. This should be available to everyone via email invitation, without requiring any training or solution expertise
ID.AM-05: Assets are prioritized based on classification, criticality, resources, and impact on the mission Please see GV.SC-04
ID.AM-08: Systems, hardware, software, and services are managed throughout their life cycle Managing external service providers should include:

  • Continuously assessing and monitoring the potentiaL risks the service provider introduces into your environment; and making recommendations to mitigate the impact of those risks
  • Monitoring service levels, key performance indicators (KPIs) and key risk indicators (KRIs) to ensure adherence to contractual agreements
  • Securely offboarding service providers to ensure data and system security post-contract termination
Risk Assessment (ID.RA): The organization understands the cybersecurity risk to the organization, assets, and individuals
ID.RA-02: Cyber threat intelligence is received from information sharing forums and sources

ID.RA-03: Internal and external threats to the organization are identified and recorded

ID.RA-04: Potential impacts and likelihoods of threats

Continuously track and analyze external threats to third parties As part of this, monitor the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

Monitoring sources typically include:

  • Criminal forums; onion pages; dark web special access forums; threat feeds; and paste sites for leaked credentials – as well as several security communities,
  • Databases containing several years of data breach history for thousands of companies around the world

(Continued on next page)

Function, Category & Subcategory 18 Best Practices
ID.RA-05: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk and inform risk prioritization

ID.RA-06: Risk responses are chosen from the available options, prioritized, planned, tracked, and communicated

ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked

(continued from previous page)All monitoring data should be correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation and response initiatives

Once all assessment and monitoring data is correlated into a central risk register, apply risk scoring and prioritization according to alikelihood and impact model. This model should frame risks into a matrix, so you
can easily see the highest impact risks and can prioritize remediation efforts on those

Assign owners and track risks and remediations to a level acceptable to the business

ID.RA-09: The authenticity and integrity of hardware and software are assessed prior to acquisition and use As part of the due diligence process, require vendors to provide updated software bills of materials (SBOMs) for their software products. This wil help you identify any potential vulnerabilities or licensing issues that may
impact your organization’s security and compliance.
DETECT (DE): Find and analyze possible cybersecurity attacks and compromises
Continuous Monitoring (DE.CM): Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events
DE.CM-06: External service provider Please see ID.RA.
Adverse Event Analysis (DE.AE): Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents
DE.AE-02: Potentially adverse events are analyzed to better understand associated activitiesDE.AE-03: Information is correlated from multiple sources Please see ID.RA.

Function, category & Subcategory 19 Best Practices
DE-AE-04: The estimated impact and scope of adverse events are determined

DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis

DE.AE-08: Incidents are declared when adverse events meet the defined incident criteria

Please see ID.RA.
RESPOND (RS): Take action regarding a detected cybersecurity incident
Incident Management (RS.MA): Responses to detected cybersecurity incidents are managed
RS.MA-01: The incident response plan is executed once an incident is declared in coordination with relevant third parties Please see GV.SC-08
Incident Response Reporting and Communication (RS.CO): Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies
RS.CO-02: Internal and external stakeholders are notified of incidents

RS.CO-03: Information is shared with designated internal and external stakeholders

Please see GV.SC-08
RECOVER (RC): Restore assets and operations that were impacted by a cybersecurity incident
Incident Recovery Communication (RC.CO): Restoration activities are coordinated with internal and external parties
RS.CO-03: Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders Please see GV.SC-08

Explore Our Third-Party Risk Assessment: Book Free Demo!

Book a demo

Conclusion

The update process for CSF 2.0 has involved extensive stakeholder engagement to ensure that the framework remains relevant and effective in addressing cybersecurity challenges

These updates are intended to help the framework keep pace with technology and threat trends, integrate lessons learned, and move best practices to common practice.

The NIST Cybersecurity Framework 2.0 Reference Tool has also been released to enable users to explore the draft CSF 2.0 Core and
create their own version of the framework with selected features

In summary, the NIST Cybersecurity Framework version 2.0 represents a significant evolution of the framework, with expanded scope, enhanced guidance, and a greater emphasis on cybersecurity governance and managed third party risk, reflecting the changing cybersecurity landscape and the need for organizations to effectively address emerging threats and technologies.

Author Bio

Nagaraj Kuppuswamy

Nagaraj Kuppuswamy is the Co-founder and CEO of Beaconer, an esteemed enterprise specializing in managed third-party risk using the cloud native AI based solution. With an extensive portfolio of accolades and industry certifications, Nagaraj stands out as a seasoned expert, boasting over 16 years of dedicated involvement in the field of Cybersecurity. Throughout the course of their career, he has predominantly focused on elevating the realm of third-party risk assessment.

risk

Don't let vendor risks threaten your business.
Take charge with Beaconer's cutting-edge third-party risk management solutions and see the change.

Book a Demo