Are you a NIST CSF shop?
If so, your security team is part of a global movement. Hundreds of thousands of organizations have downloaded the NIST Cybersecurity Framework (CSF) since the National Institute of Standards and Technology created it in 2014.
And it's been translated into multiple languages: Hebrew, Italian, Japanese and, Spanish, among others.
In 2018, NIST published the only major update to the framework, and now NIST says another update is coming in 2022.
What can security teams expect from the NIST CSF update? And how can they impact what it will look like?
The 2022 NIST cybersecurity framework update
NIST's Chief of the Applied Cybersecurity Division, Kevin Stine, spoke about the goals of the 2022 NIST CSF update at a recent conference.
"There are plenty of opportunities for us to improve the cybersecurity framework based on the changing threat landscape, based on evolutions of technologies and the different practices capabilities we all are trying to leverage and take advantage of, and really—I'd say almost just as importantly—based on the experiences of organizations that have used the cybersecurity framework," says Stine.
Nextgov says he also revealed three areas of focus for the coming CSF update:
- Addressing Supply Chain Security: "Almost every conversation we participate in today, and I'm sure many of you too, you know, it all comes back to different dimensions of supply chain."
- Considering new features that will help organizations better manage their cyber risk, and drawing on current CSF users and the cyber community to identify what these things might be
- Looking for opportunities to align the NIST CSF with other resources, both internally and externally
NIST will ask for the information security community's input in early 2022, and we'll let you know when that happens.
Original intent of the NIST CSF
And while we look forward to a NIST cybersecurity framework update in the near future, our SecureWorld News team also wondered something else.
How did the NIST CSF get started and what was its original goal?
The answer: it was developed for critical infrastructure.
"Although the Cybersecurity Framework was developed initially with a focus on our critical infrastructure, such as transportation and the electric power grid, today it is having a much broader, positive impact in this country and around the world,” says Walter Copan, who is the former NIST Director.
How the NIST cybersecurity framework maps to attacks
One thing we've heard repeatedly from CISOs and cybersecurity professionals at SecureWorld conferences is that the NIST CSF is extremely practical. One example of this "practicality" is how it maps to attacks.
Here are five ways the NIST CSF maps to an attack:
- NIST core function-Identify: Maps to your posture before an attack. Things like supply chain, asset management, risk assessment, and others.
- NIST core function-Protect: Maps to your posture before an attack. Things like access control, awareness and training, proactively technology, and others.
- NIST core function-Detect: Maps to your capabilities during an attack. Things like anomalies and events, detection processes, and continuous monitoring.
- NIST core function-Respond: Maps to responding (of course) to an attack. Things like response planning, communication, mitigation, and others.
- NIST core function-Recover: Maps to recovering from an attack. Things like recovery planning, improvements, and communication.
Do you already have ideas on how the NIST CSF could become better in 2022? Let us know in the comments below. [Note: all comments take a few minutes to appear.]
