A little history of the Cybersecurity Framework.
The National Institute of Standards and Technology (NIST) recently released the much-anticipated version 2.0 of the Cybersecurity Framework (CSF). Originally published in 2014, the CSF was developed in response to Executive Order 13636. The Executive Order tasked NIST with developing a voluntary framework to reducing cybersecurity risks to critical infrastructure.
The original CSF has been widely adopted by both public and private sector organizations to manage cybersecurity risks. According to NIST, people have downloaded the Framework over 3 million times and translated into more than 30 languages. However, despite its wide distribution, surveys revealed that many small and medium-sized businesses (SMBs) still struggle with implementation due to limited resources, limited expertise, and the framework’s overall complexity.
What’s changed?
CSF 2.0 addresses these challenges with a renewed focus on simplicity and usability. A central enhancement is the “Quick Start Guides”. The Quick Start Guides serve as a major enhancement in CSF 2.0 aiming at addressing one of the top barriers to SMB adoption – complexity. The Guides simplify this by offering short, approachable documents tailored for specific sectors and non-technical audiences. They focus on topics that address SMB concerns, such as incident response planning, cyber hygiene basics and cloud security considerations. By distilling CSF concepts into clear, actionable language, the Guides make implementation less daunting, and highlight the Framework as an incremental, ongoing process rather than a pass/fail standard.
Wait! There’s more!
Another simplifying element is the introduction of profiling capabilities. The CSF Profiles provide a standardized mechanism for organizations to evaluate their cybersecurity posture through a structured self-assessment process. Two main types of profiles exist. The Current Profile establishes the organization’s baseline posture. The Target Profile outlines aspirational goals that align with risk appetite. Organizations create profiles by mapping existing security programs, policies and controls to the relevant CSF Categories and Subcategories. NIST offers templates to simplify this mapping and ensure consistency.
Beyond assessing maturity gaps, Profiles also help track progress over time and benchmark objectives against the CSF Tiers model. Profiles empower continuous improvement by enabling organizations to prioritize actions and communication needs to stakeholders. Additionally, Community Profiles establish sector-defined baselines that organizations can leverage for their target profiles to foster consistency. These new profiling capabilities equip organizations of all sizes to rigorously manage cybersecurity as a strategic, evolving process.
Through improvements to usability, flexibility, and simplicity, the updated CSF enables organizations of all types and industries to carry out comprehensive risk management. By utilizing customizable features like Quick Start Guides and Profiles, companies can develop security strategies tailored to their unique needs and environments. At the same time, the core Framework provides a shared foundation to facilitate ongoing cooperation across sectoral boundaries. Here at BlueCoat, we’re big fans of CSF 2.0 – Let one of our experts use this updated framework to protect your business from risks inside and out.