Updates to the Cybersecurity Framework were made on April 16, 2018, creating NIST CSF V1.1. The new and improved framework was designed to be more informative and effective for all organizations. NIST CSF is a cybersecurity framework created by the National Institute for Standards and Technology (NIST) and serves as a great base to bolster your organization’s security. The National Institute of Standards and Technology stated the primary goal of the framework is to
- Describe their current cybersecurity posture;
- Describe their target state for cybersecurity;
- Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
- Assess progress toward the target state;
- Communicate with internal and external stakeholders about cybersecurity risk.
The core of the framework contains four different elements: Functions, Categories, Subcategories, and Informative References. They are discussed after the new changes later in this article.
Changes Between V1 and V1.1
Recently the NIST CSF has been updated to version 1.1 from 1.0. They have clarified that compliance can be different to various stakeholders, added a section on self-assessing, added more content on using the framework for Cyber Supply Chain Risk Management, as well as refinements for authentication, authorization, and identity proofing, among other changes.
Detailed Changes Outlined
Functions – There is a total of five functions: Identify, Protect, Detect, Respond, and Recover and their purpose is to describe basic cybersecurity practices at a high level. They help an organization express its “management of cybersecurity risk by organizing information, enabling risk management decisions, addressing threats, and improving by learning from previous activities.
Categories – Categories are the subdivisions of a function. They form groups of different cybersecurity outcomes and are “closely tied to programmatic needs and particular activities”. For instance “Asset Management” and “Detection Processes” are both examples of categories.
Sub categories – As was most likely guessed, subcategories further break down categories into “specific outcomes of technical and/or management activities”. Sub categories help achieve objectives with categories. “External information systems are cataloged” and “Data-at-rest is protected” are both examples of subcategories.
Informative References – “Informative References are specific sections of standards, guidelines, and practices common among critical infrastructure sectors”. They help illustrate a way to achieve the outcome of each subcategory.
As was said earlier the NIST CSF serves as a great base framework for many different organizations. Part of what makes this framework so great is the versatility it offers organizations in all industries. This framework was not intended to be “one size fits all” and the National Institute of Standards and Technology will attest to this. If you would like to learn more about how the NIST CSF could aid your organization or would like to learn more about the different consulting services we offer, feel free to contact us here.