The NIST cybersecurity framework serves as an effective instrument for structuring and enhancing cybersecurity initiative. Comprising guidelines and best practices, it assists organizations in fortifying their cybersecurity stance. The framework offers a set of recommendations and standards that empower organizations to enhance their readiness for identifying and thwarting cyber-attacks, along with providing directives on responding to, preventing, and recovering from cyber incidents.
Content
Formulated by the National Institute of Standards and Technology (NIST), this framework addresses the absence of standards in cybersecurity by presenting a consistent set of regulations, guidelines, and standards applicable across various industries. Widely acknowledged as the benchmark for establishing a cybersecurity program, the NIST Cybersecurity Framework (NIST CSF) is renowned for its comprehensive approach. Whether initiating a cybersecurity program or managing a well-established one, the framework proves valuable, serving as a top-level security management tool for evaluating cybersecurity risks throughout the organization.
NIST Cybersecurity Framework (CSF) Version 2.0
The NIST Cybersecurity Framework (CSF) had five functions in its most recent version, version 1.1, which was published in April 2018 and represented important facets of cybersecurity management. Below is a thorough explanation of every function:
1) Identify
This task revolves around comprehending and handling the potential cybersecurity risks posed to systems, assets, data, and capabilities. It encompasses various activities like overseeing assets, understanding the business environment, implementing governance, conducting risk assessments, and devising strategies for risk management, Asset management, governance, and business environment. Furthermore, specific measures must be taken to fortify cybersecurity:
- Implement security policies for access control and data protection within vendor onboarding agreements.
- Arrange supply chain vendors based on their potential security impact.
- Establish a consistent level of transparency for security risks during the entire lifespan of vendor relationships, as outlined in onboarding contracts.
- Define your risk threshold for all assets. Identify all assets in your ecosystem through the process of digital foot printing.
2) Protect
This function is dedicated to implementing the necessary measures to guarantee the secure delivery of critical infrastructure services. This involves various tasks, including regulating access, promoting
awareness and training, ensuring data security, implementing processes and procedures for information protection, conducting maintenance activities, and utilizing protective technology. For the same: –
- Deploy an ongoing monitoring system that provides recommended solutions for identified risks.
- Offer in-person training sessions or webinars to instruct employees on recognizing phishing and social engineering attacks.
- Enforce proper security practices among all remote workers.
- Perform risk assessments throughout the various stages of system development life cycles.
- Assess the risk exposure within your supply chain through security evaluations.
- Verify compliance of all third-party vendors with regulatory standards like ISO 27001, PCI DSS and HIPAA.
3) Detect
This Function is centered around pinpointing cybersecurity events. This encompasses tasks like detecting anomalies and events, continuously monitoring security, and implementing processes for timely detection.
For the same: –
- Detect and resolve vulnerabilities that might be exploited for injecting cyber threats.
- Identify and avert data leaks that disclose confidential information.
- Scan open ports for any signs of suspicious activity.
- Ensure the security of all open ports.
4) Respond
This function is focused on addressing identified cybersecurity incidents. This entails various tasks such as planning responses, managing communications, conducting analysis, implementing mitigation
strategies, and making improvements based on the incident response process. For the same: –
- Ensure incident response and security plans are regularly updated.
- Periodically assess the effectiveness of incident response plans through red/blue team penetration testing.
- Create a dependable communication channel for cyber incident updates to keep stakeholders and regulatory bodies informed.
- Segment cyber threats to impede lateral movement after a network compromise.
5) Recover
This function is dedicated to the restoration process following a cybersecurity incident. This encompasses tasks such as planning for recovery, making improvements based on lessons learned, and managing
communications throughout the recovery phase. For the same: –
- Give priority to addressing critical cyber threats and handle them promptly.
- Keep track of the advancement in addressing all security risk remediation initiatives.
- Verify the effectiveness of remediation actions through security ratings
6) Govern
The “Govern” function is aimed at creating and sustaining a governance structure and management approach to enhance the effectiveness, efficiency, and continuous improvement of an organization’s cybersecurity risk management. It serves as the cornerstone for implementing other functions within the framework, ensuring that cybersecurity initiatives align with business strategies, adhere to regulations, and are adequately supported by
resources and leadership.
Updates in NIST Cybersecurity Framework (CSF) Version 2.0
The NIST Cybersecurity Framework (CSF) version 2.0 introduces several significant updates compared to the previous versions, reflecting the evolving cybersecurity landscape and the need to address current and future challenges. Some of the key changes in CSF 2.0 include:
1) Expanded Scope
The framework’s scope has been broadened to address emerging technologies such as cloud, mobile, and artificial intelligence.
2) Addition of “Govern” Function
A significant modification in CSF 2.0 is the inclusion of a new function termed “Govern,” highlighting the crucial role of top-down governance and the integration of cybersecurity into an organization’s strategic planning. This underscores the importance of a holistic approach to cybersecurity that aligns with overall organizational governance and strategic objectives.
3) Integration with Other Frameworks
CSF 2.0 introduces fresh guidance on effectively incorporating the Cybersecurity Framework with other frameworks, such as the Privacy Framework and Enterprise Risk Management guidance. This guidance aims to comprehensively tackle technology risks and foster a synergistic approach across various organizational frameworks.
4) Enhanced Implementation Guidance
The framework now provides enhanced and extended guidance on the implementation of CSF, particularly in the realm of creating profiles. This aims to assist organizations in evaluating their preparedness to effectively combat cybersecurity threats and.
5) Stakeholder Engagement and Feedback
NIST has actively sought feedback from stakeholders through various means, including public webinars, workshops, and requests for information, to ensure that the framework reflects leading practices and guidance resources.
Category | Subcategory | Implementation Examples | Informative References |
---|---|---|---|
Cybersecurity Supply Chain Risk Management (GV.SC): Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by Organizational Stakeholders (formerly ID.SC) |
|||
GV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders (formerly ID.SC-01) | Ex1: Establish a strategy that expresses the objectives of the cybersecurity supply chain risk management program
Ex2: Develop the cybersecurity supply chain risk management program, including a plan (with milestones), policies, and procedures that guide implementation and improvement of the program, and share the Ex3: Develop and implement program processes based on the strategy, objectives, policies, and procedures that are agreed upon and performed by the organizational stakeholders Ex4: Establish a cross-organizational mechanism that ensures alignment between functions that contribute to cybersecurity supply chain risk management, such as cybersecurity, IT, legal, human resources, and |
||
GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally (formerly ID.AM-06) | Ex1: Identify one or more specific roles or positions that will be responsible and accountable for planning, resourcing, and executing cybersecurity supply chain risk management activities
Ex2: Document cybersecurity supply chain risk management roles and responsibilities in policy Ex3: Create responsibility matrixes to document who will be responsible and accountable for cybersecurity supply chain risk management activities and how those teams and individuals will be consulted and Ex4: Include cybersecurity supply chain risk management responsibilities and performance requirements in personnel descriptions to ensure clarity and improve accountability Ex5: Document performance goals for personnel with cybersecurity risk management-specific responsibilities, and periodically measure them to demonstrate and improve performance Ex6: Develop roles and responsibilities for suppliers, customers, and business partners to address shared responsibilities for applicable cybersecurity risks, and integrate them into organizational policies and applicable third-party agreements |
Category | Subcategory | Implementation Examples | Informative References |
---|---|---|---|
Ex7: Internally communicate cybersecurity supply chain risk management roles and responsibilities for third parties
Ex8: Establish rules and protocols for information sharing and reporting processes between the organization and its suppliers |
|||
GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes (formerly ID.SC-02) | Ex1: Identify areas of alignment and overlap with cybersecurity and enterprise risk management
Ex2: Establish integrated control sets for cybersecurity risk management and cybersecurity supply chain risk management Ex3: Integrate cybersecurity supply chain risk management into improvement processes Ex4: Escalate material cybersecurity risks in supply chains to senior management, and address them at the enterprise risk management level |
||
GV.SC-04: Suppliers are known and prioritized by criticality | Ex1: Develop criteria for supplier criticality based on, for example, the sensitivity of data processed or possessed by suppliers, the degree of access to the organization’s systems, and the importance of the products or services to the organization’s missionEx2: Keep a record of all suppliers, and prioritize suppliers based on the criticality criteria |
||
GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties (formerly ID.SC-03) |
Ex1: Establish security requirements for suppliers, products, and services commensurate with their criticality level and potential impact if compromised
Ex2: Include all cybersecurity and supply chain requirements that third parties must follow and how compliance with the requirements may be verified in default contractual language Ex3: Define the rules and protocols for information sharing between the organization and its suppliers and sub-tier suppliers in contracts Ex4: Manage risk by including security requirements in contracts based on their criticality and potential impact if compromised |
Category | Subcategory | Implementation Examples | Informative References |
---|---|---|---|
Ex5: Define security requirements in service-level agreements (SLAs) for monitoring suppliers for acceptable security performance throughout the supplier relationship lifecycle
Ex6: Contractually require suppliers to disclose cybersecurity features, functions, and vulnerabilities of their products and services for the life of the product or the term of service Ex7: Contractually require suppliers to provide and maintain a current component inventory (e.g., software or hardware bill of materials) for critical products Ex8: Contractually require suppliers to vet their employees and guard against insider threats Ex9: Contractually require suppliers to provide evidence of performing acceptable security practices through, for example, self-attestation, conformance to known standards, certifications, or inspections Ex10: Specify in contracts the rights and responsibilities of the organization, its suppliers, and applicable lower-tier suppliers and supply chains, with respect to potential cybersecurity risks |
|||
GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships | Ex1: Perform thorough due diligence on prospective suppliers that is consistent with procurement planning and commensurate with the level of risk, criticality, and complexity of each supplier relationship
Ex2: Assess the suitability of the technology and cybersecurity capabilities and the risk management practices of prospective suppliers Ex3: Conduct supplier risk assessments against business and applicable cybersecurity requirements, including lower-tier suppliers and the supply chain for critical suppliers Ex4: Assess the authenticity, integrity, and security of critical products prior to acquisition and use |
||
GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are identified, recorded, prioritized, assessed, responded | Ex1: Adjust assessment formats and frequencies based on the third party’s reputation and the criticality of the products or services they provide |
Category | Subcategory | Implementation Examples | Informative References |
---|---|---|---|
to, and monitored over the course of the relationship (formerly ID.SC-02, ID.SC-04) | Ex2: Evaluate third parties’ evidence of compliance with contractual cybersecurity requirements, such as self-attestations, warranties, certifications, and other artifacts
Ex3: Monitor critical suppliers to ensure that they are fulfilling their security obligations throughout the supplier relationship lifecycle using a variety of methods and techniques, such as inspections, Ex4: Monitor critical suppliers, services, and products for changes to their risk profiles, and reevaluate supplier criticality and risk impact accordingly Ex5: Plan for unexpected supplier and supply chain-related interruptions to ensure business continuity |
||
GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities (formerly ID.SC-05) | Ex1: Define and use rules and protocols for reporting incident response and recovery activities and the status between the organization and its suppliers
Ex2: Identify and document the roles and responsibilities of the organization and its suppliers for incident response Ex3: Include critical suppliers in incident response exercises and simulations Ex4: Define and coordinate crisis communication methods and protocols between the organization and its critical suppliers Ex5: Conduct collaborative lessons learned sessions with critical suppliers |
||
GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle |
Ex1: Policies and procedures require provenance records for all acquired technology products and services
Ex2: Periodically provide risk reporting to leaders about how acquired components are proven to be untampered and authentic. Ex3: Communicate regularly among cybersecurity risk managers and operations personnel about the need to acquire software patches, updates, and upgrades only from authenticated and trustworthy software Ex4: Review policies to ensure that they require approved supplier personnel to perform maintenance on supplier products |
Category | Subcategory | Implementation Examples | Informative References |
---|---|---|---|
Ex5: Policies and procedure require checking upgrades to critical hardware for unauthorized changes | |||
GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement | Ex1: Establish processes for terminating critical relationships under both normal and adverse circumstances
Ex2: Define and implement plans for component end-of-life maintenance support and obsolescence Ex3: Verify that supplier access to organization resources is deactivated promptly when it is no longer needed Ex4: Verify that assets containing the organization’s data are returned or properly disposed of in a timely, controlled, and safe manner Ex5: Develop and execute a plan for terminating or transitioning supplier relationships that takes supply chain security risk and resiliency into account Ex6: Mitigate risks to data and systems created by supplier termination Ex7: Manage data leakage risks associated with supplier termination |
Function, category & Subcategory 13 | Best Practices |
---|---|
(GV) Establish and monitor the organization’s cybersecurity risk management strategy, expectations, and policy | |
Cybersecurity Supply Chain Risk Management (GV.SC): Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizationa | |
GV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders
GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes GV.SC-04: Suppliers are known and prioritized by criticality |
Build a comprehensive third-party risk management (TPRM) or cybersecurity supply chain risk management program in line with your broader information security and governance, enterprise risk management and compliance programs
Seek out experts to collaborate with your team on:
As part of this process, you should define:
Start by quantifying inherent risks for all thirdparties Criteria used to calculate inherent risk for third-party prioritization includes:
|
Function, Category & Subcategory 13 | Best Practices |
---|---|
GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties | Centralize the distribution, discussion, retention and review of vendor contracts to automate the contract lifecycle and ensure key clauses are enforced. Key capabilities include:
With this capability, you can ensure that clear responsibilities and right-to-audit clauses are articulated in the vendor contract, and SLAs tracked and managed accordingly |
GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships | Centralize and automate the distribution, comparison and management of requests for proposals (RFPs) and requests for information (RFIs) in a single solution that enables comparison on key attributes.
As all service providers are being centralized and reviewed, teams should create comprehensive vendor profiles that contain insight into a vendor’s demographic information, 4th-party technologies, ESG scores, recent business and reputational insights, data breach history, and recent financial performance. This level of due diligence creates greater context for making vendor selection decisions |
Function, Category & Subcategory 14 | Best Practices |
---|---|
GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are identified, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship | Look for solutions that feature a large library of pre-built templates for third-party risk assessments. Assessments should be conducted at the time of onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually) depending on material changes.
Assessments should be managed centrally and be backed by workflow, task management and automated evidence review capabilities to ensure that your team has visibility into third risks throughout the relationshiplifecycle. Importantly, a TPRM solution should include built-in remediation recommendations based on risk assessment results to ensure that your third parties address risks in a timely and satisfactory manner and can provide the appropriate evidence to auditors. As part of this process, continuously track and analyze external threats to third parties. Monitor the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. All monitoring data should be correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation and response initiatives. Be sure to incorporate third-party operational, reputational and financial data to add context to cyber findings and measure the impact of incidents over time. |
GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities | As part of your broader incident management strategy ensure that your third-party incident response program enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor security incidents. Look for managed services where dedicated experts centrally manage your vendors; conduct proactive event risk assessments; score identified risks; correlate risks with continuous cyber monitoring intelligence; and issue remediation guidance. Managed services can greatly reduce the time required to identify vendors impacted by a cybersecurity incident and ensure that remediations are in place.
(continued on next page) |
Function, Category & Subcategory 15 | Best Practices |
---|---|
(continued from previous page)
Key capabilities in a third-party incident response service include:
Also, consider leveraging databases that contain several years of data breach history for thousands of companies around the world -including types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications Armed with these insights, your team can better understand the scope and impact of the incident; what data was involved; whether the third party’s operations were impacted; and when remediations have been completed – all by leveraging experts |
|
GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle | Please see GV.SC-01 and GV.SC-02 |
Function, Category & Subcategory 16 | Best Practices |
---|---|
GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement | Building on the best practices recommended for GV.SC-05, automate contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure.
|
IDENTIFY (ID): Help determine the current cybersecurity risk to the organization | |
Asset Management (ID.AM): Assets (e.g., data, hardware software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy | |
ID.AM-03: Representations of the organization’s authorized network communication and internal and external network data flows are maintained | To address this Subcategory, it’s important to identify fourth-party and Nth-party subcontracting relationships in your supplier ecosystem. Conduct a questionnaire-based assessment of your suppliers or passively scan the supplier’s public-facing infrastructure. The resulting relationship map should depict extended dependencies and information flows that could expose your organization to risk. |
Function, Category & Subcategory 17 | Best Practices |
---|---|
ID.AM-04: Inventories of services provided by suppliers are maintained | Build a centralized service provider inventory by importing vendors via a spreadsheet template or through an API connection to an existing procurement solution. Teams throughout the enterprise should be able to populate key supplier details with a centralized intake form and associated work flow tasks. This should be available to everyone via email invitation, without requiring any training or solution expertise |
ID.AM-05: Assets are prioritized based on classification, criticality, resources, and impact on the mission | Please see GV.SC-04 |
ID.AM-08: Systems, hardware, software, and services are managed throughout their life cycle | Managing external service providers should include:
|
Risk Assessment (ID.RA): The organization understands the cybersecurity risk to the organization, assets, and individuals | |
ID.RA-02: Cyber threat intelligence is received from information sharing forums and sources
ID.RA-03: Internal and external threats to the organization are identified and recorded ID.RA-04: Potential impacts and likelihoods of threats |
Continuously track and analyze external threats to third parties As part of this, monitor the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.
Monitoring sources typically include:
(Continued on next page) |
Function, Category & Subcategory 18 | Best Practices |
---|---|
ID.RA-05: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk and inform risk prioritization
ID.RA-06: Risk responses are chosen from the available options, prioritized, planned, tracked, and communicated ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked |
(continued from previous page)All monitoring data should be correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation and response initiatives
Once all assessment and monitoring data is correlated into a central risk register, apply risk scoring and prioritization according to alikelihood and impact model. This model should frame risks into a matrix, so you Assign owners and track risks and remediations to a level acceptable to the business |
ID.RA-09: The authenticity and integrity of hardware and software are assessed prior to acquisition and use | As part of the due diligence process, require vendors to provide updated software bills of materials (SBOMs) for their software products. This wil help you identify any potential vulnerabilities or licensing issues that may impact your organization’s security and compliance. |
DETECT (DE): Find and analyze possible cybersecurity attacks and compromises | |
Continuous Monitoring (DE.CM): Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events | |
DE.CM-06: External service provider | Please see ID.RA. |
Adverse Event Analysis (DE.AE): Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents | |
DE.AE-02: Potentially adverse events are analyzed to better understand associated activitiesDE.AE-03: Information is correlated from multiple sources | Please see ID.RA. |
Function, category & Subcategory 19 | Best Practices |
---|---|
DE-AE-04: The estimated impact and scope of adverse events are determined
DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis DE.AE-08: Incidents are declared when adverse events meet the defined incident criteria |
Please see ID.RA. |
RESPOND (RS): Take action regarding a detected cybersecurity incident | |
Incident Management (RS.MA): Responses to detected cybersecurity incidents are managed | |
RS.MA-01: The incident response plan is executed once an incident is declared in coordination with relevant third parties | Please see GV.SC-08 |
Incident Response Reporting and Communication (RS.CO): Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies | |
RS.CO-02: Internal and external stakeholders are notified of incidents
RS.CO-03: Information is shared with designated internal and external stakeholders |
Please see GV.SC-08 |
RECOVER (RC): Restore assets and operations that were impacted by a cybersecurity incident | |
Incident Recovery Communication (RC.CO): Restoration activities are coordinated with internal and external parties | |
RS.CO-03: Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders | Please see GV.SC-08 |
Conclusion
The update process for CSF 2.0 has involved extensive stakeholder engagement to ensure that the framework remains relevant and effective in addressing cybersecurity challenges
These updates are intended to help the framework keep pace with technology and threat trends, integrate lessons learned, and move best practices to common practice.
The NIST Cybersecurity Framework 2.0 Reference Tool has also been released to enable users to explore the draft CSF 2.0 Core and
create their own version of the framework with selected features
In summary, the NIST Cybersecurity Framework version 2.0 represents a significant evolution of the framework, with expanded scope, enhanced guidance, and a greater emphasis on cybersecurity governance and managed third party risk, reflecting the changing cybersecurity landscape and the need for organizations to effectively address emerging threats and technologies.