On February 26, 2024, NIST released version 2.0 of the Cybersecurity Framework. This blog reviews the fundamental changes introduced in CSF 2.0 and data-centric security considerations that should be made when aligning with the new framework.
As cybercriminals become more sophisticated, efficient, and cunning, it is critical to evolve how we protect our data from them from both a technology and operational perspective. The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) has been serving as a guiding beacon on how organizations can defend against cybercrime since 2014, and ten years later, NIST has released the latest version of the CSF.
NIST CSF 2.0 introduces several updates to the previous version, including an expanded scope, a new function, and a reorganization of categories and sub-categories.
Expanded Scope:
CSF 2.0 is much broader than the earlier version by extending guidance to organizations of all sizes, sectors, and maturity levels, not just critical infrastructure. The guidance has been changed throughout the framework to reflect this broader scope. This change enables all organizations, such as small businesses, to utilize the framework effectively. This wider scope of the new framework version also allows it to be applied globally and not just within the United States of America.
CSF 2.0 continues with the original five functions of IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER, adding a new function, GOVERN. The GOVERN function emphasizes governance-related outcomes. The new CSF 2.0 model adds the GOVERN Function in which all other Functions revolve; this is critical because the GOVERN function highlights the significance of governance in overall cybersecurity risk management. Effective governance is the keystone of a successful organization, providing a structure for order, transparency, and accountability. It ensures responsible decision-making and guards against potential pitfalls caused by making decisions based on preference. Figure 1 below shows the evolution of NIST CSF 1.1 to CSF 2.0.
Figure 1: Evolution of NIST CSF 1.1 to CSF 2.0
The introduction of the GOVERN function also restructured the existing IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER functions by moving some categories and subcategories to the GOVERN function. Below is a summary of each function.
CSF 2.0 often refers to organizational profiles. An organizational profile uses current and target profiles or cybersecurity postures aligned to the CSF 2.0 Core, including the Functions, Categories, and Subcategories within CSF 2.0. These profiles are used to understand, assess, tailor, prioritize, and communicate the Core’s outcomes as they are evaluated today and where the organization wishes to improve.
Every Organizational Profile includes one or both of the following:
For example, you estimate your current profile score to be a two for data security under the PROTECT Function of CSF 2.0, and your target score is Three or even Four. To increase your Target Profile score, you may invest in a data security solution to improve how data is managed, consistent with the organization’s risk strategy, while protecting the confidentiality, integrity, and availability of information, improving your PROTECT Function score.
×
May 30 Upcoming Webinar
Register Now
×
A data-centric security approach can help you align more closely to the CSF 2.0 framework. When evaluating your current profile and defining your target profile, here are some areas of focus you may want to consider when it comes to protecting data:
Thales and Imperva deliver a comprehensive solution set that provides data governance and protection wherever it resides. The data governance and security power of Imperva Data Security Fabric, combined with Thales’ CipherTrust Data Security Platform, Hardware Security Modules, and High-Speed Encryption, helps organizations effectively align to the NIST CSF 2.0 framework.
View our solution guide explaining how Imperva and Thales join forces to align to NIST CSF 2.0.
Stay tuned for our upcoming blog on effectively increasing your organizational profile with data security.
The post Breaking it Down: A Data-Centric Security Perspective on NIST Cybersecurity Framework 2.0 appeared first on Blog.