The National Institute of Standards and Technology (NIST) is planning its biggest-ever reform of its Cybersecurity Framework, CSF 1.1. NIST has released a discussion draft of proposed changes to its framework, which aims to improve cybersecurity practices and help organizations manage cyber risks.
The proposed changes include adding new categories of security and privacy risk, updating existing guidance, and making the framework easier to use. Some of the new categories of security risk include supply chain risk, cybersecurity governance, and cybersecurity measurement. The revised framework is expected to provide guidance for organizations of all sizes and across all sectors, including the government, critical infrastructure, and the private sector. NIST is seeking feedback on the discussion draft from stakeholders, including the cybersecurity community, and plans to release a final version of the revised framework in Q4 2024.
The biggest revisions that stand out, though, is the addition of the Governance Function and the increased attention to measuring performance.
What is the “Govern” function?
The new “Govern” function will emphasize cybersecurity risk management governance, highlighting the critical role that cybersecurity governance plays in managing and reducing cybersecurity risk. The new function will also align cybersecurity activities with enterprise risks and legal requirements. NIST has identified these questions about cybersecurity governance and risk management as an underlying component supporting the other 5 CSF functions, necessitating a larger focus on these activities than CSF 1.1 gives credit for.
Categories that cover governance in the current version of CSF will be moved to the new Govern function. The subcategories will be expanded to create separate categories under the new function, and NIST is seeking feedback on what categories and subcategories should be incorporated into the new function. One thing that we do know is that it will inform and support the other 5 functions in the CSF, so expect these controls to be foundational to all other cybersecurity activities.
How does measurement play into the new CSF?
The CSF 2.0 cybersecurity framework will focus on measurement and assessment of cybersecurity risk management programs and strategies. Critics of CSF 1.1 have indicated a need for additional guidance and resources to support measurement and assessment of an organization’s use of the CSF, something that NIST is eager to remedy with these proposed changes.
The CSF 2.0 will clarify how organizations can use the Implementation Tiers and provide implementation examples to assist organizations in assessing, quantifying, and communicating their cybersecurity capabilities. NIST will not put forward a single definitive approach to assessment, but rather include examples of how organizations have combined the CSF with risk management strategies to communicate the effectiveness of their cybersecurity program. The goal is to provide a common language for communicating outcomes and to support risk management decisions across organizations.
We’re no strangers to measuring cybersecurity performance; in fact, it’s the driving force behind CnSight®. Since 2017, TDI has long championed the process of Cybersecurity Performance Management (CPM). We see it as transformative in the evolution of cybersecurity teams, and NIST seems to have caught on to the value of the sort of quantitative performance analysis that we have long advocated. At present, businesses are dumping endless amounts of resources into the latest tools and software suites without considering what it is that these tools actually provide in terms of tangible risk reduction.
NIST’s emphasis on measurement in this new revision of the CSF will seek to provide a structured and standardized approach to measuring cybersecurity performance. The focus on performance measurement in CSF 2.0 will also help organizations to implement CPM more effectively. CPM requires the use of metrics and key performance indicators (KPIs) to measure the effectiveness of cybersecurity programs, and CSF 2.0 will provide guidance on the selection and use of these metrics and KPIs. This will enable organizations to measure the impact of their cybersecurity investments and to continuously improve their cybersecurity posture.
Overall, the focus on performance measurement and cybersecurity governance in CSF 2.0 is a welcome change that is closely aligned with the goals of CPM. Organizations will be better able adopt a more data-driven and evidence-based approach to cybersecurity risk management.
About CnSight®
CnSight® is the industry-leading Cybersecurity Performance Management (CPM) platform which mitigates risk, reduces ransomware, provides continuous compliance, improves cyber-ROI, and provides comprehensive instantaneous visibility into how an organization is performing against its cyber strategy, so executives and Boards may effectively manage the business of cybersecurity– the result: reduced stress, better performance, less cost, and a true understanding of cyber investment.