Monday, NIST released version 2.0 of its cybersecurity framework (CSF) that emphasizes governance and supply chain issues for both public and private sector entities.
The new guidance outlines “high-level cybersecurity outcomes that can be used by any organization to better understand, assess, prioritize and communicate its cybersecurity efforts.” There are six core functions:
- Govern
- Identify
- Protect
- Detect
- Respond
- Recover
“Govern”, the new addition to the other five pillars, focuses on how an organization establishes, communicates and monitors its cybersecurity risk management strategy, expectations and policy and is intended to address the implementation and oversight of a cybersecurity strategy.
Laurie Locascio, director of NIST and undersecretary of Commerce for Standards and Technology, noted that 10 years ago before NIST’s initial CSF launched, there was discussion about the elements of “govern,” but agency leaders “really weren’t ready yet to incorporate it.”
In version 2.0, the focus on supply chain risks covers how various types of technologies rely on complex landscapes for outsourcing involving geographically diverse routes for both private and public sectors offering a variety of services. In the updated CSF, NIST points to Cybersecurity Supply Chain Risk Management (C-SCRM) as a systemic process to manage exposure to cybersecurity risks by developing appropriate “strategies, policies, processes and procedures.”
Emily Phelps, VP, Cyware starts with this comment:
“By adding governance, NIST does a great job rounding out an already best-in-class framework. This will help organizations not only improve bidirectional information sharing between security teams, executives, and board members, it will help ensure consistent language and clear definitions around responsibilities.”
Greg Welch, CEO, CyberProtonics had this comment:
“Cybercrimes are on the rise with more sophistication and computing resources. We believe all data should be encrypted and pleased to see NIST provide organizations with risk assessment strategies and procedures that will help safeguard against malicious actors.”
Dave Ratner, CEO, HYAS served this comment:
“As a key part of ‘Govern’ in version 2.0 of the NIST cybersecurity framework, organizations need change how they have historically thought about security and focus on business and operational resiliency versus pure prevention. Especially with rampant supply chain attacks, not to mention constantly adapting tactics and techniques, criminals will unfortunately continue to infiltrate organizations of all sizes. Appropriate governance requires recognizing this fact across the entire business and all aspects of digital risk, and ensuring that cyber resiliency is implemented to efficiently identify, isolate, and address breaches before they expand and cause significant damage.”
John Benkert , CEO, Cigent adds this comment:
“The National Institute of Standards and Technology (NIST) recently added “Govern” as a new function to its Cybersecurity Framework, emphasizing the importance of governance in managing cybersecurity risks. This addition underscores the understanding that effective cybersecurity is not just about technology but also involves clear governance structures, policies, and processes to ensure comprehensive risk management. This is long overdue and has been talked about outside of NIST circles for many years. Cybersecurity has to start at the top levels of organizations which includes C-level executives including the CFO.
Troy Batterberry, CEO and Founder, EchoMark followed with this comment:
“A vast majority of cybersecurity events are caused by inadequate security practices that can be traced back directly to insufficient prioritization and funding. While moving the discussion into the board room will help in some cases, many organizations under financial stress will continue to make difficult tradeoff decisions that result in more breaches. When they do happen, the criminals involved extract money to fund further criminal activity. Breaches impact not only the business but the customers too. This unfortunately may be a situation where further regulatory requirements are needed to protect customers and ultimately the public.”
Stephen Gates, Principal Security SME, Horizon3.ai had this to say:
“In terms of responding to risk, NIST defines the available actions one could take as accepting, avoiding, mitigating, sharing, or transferring risk to others. And in the case of just-in-time and lean manufacturing, suppliers can potentially transfer their cyber risk to their buyers. Meaning, if you rely on a host of suppliers that help support your mission, an outage-inducing cyberattack on one of them will likely impact you as well.
“Soon, organization who have extensive supply chains will begin to require that their suppliers continuously access their own infrastructure to identify their truly exploitable weaknesses, verify those weaknesses have been remediated, and prove that their cyber risk is not being transferred to their buyers. Although the term “report” appears eight times in the recent NIST Cybersecurity Framework (CSF) 2.0, it does not necessarily define a reporting standard or framework to address the third-party supplier “risk transfer” issue that many are being subjected to.”
NIST updating its cybersecurity framework shows that they’re keeping up the ever changing cybersecurity landscape. Assuming that organizations are paying attention, this will benefit us all.
Like this:
Like Loading...
Related
This entry was posted on February 28, 2024 at 8:16 am and is filed under Commentary with tags NIST. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
NIST updates 10 y/o cybersecurity framework adding focus on supply chain risk management
Monday, NIST released version 2.0 of its cybersecurity framework (CSF) that emphasizes governance and supply chain issues for both public and private sector entities.
The new guidance outlines “high-level cybersecurity outcomes that can be used by any organization to better understand, assess, prioritize and communicate its cybersecurity efforts.” There are six core functions:
“Govern”, the new addition to the other five pillars, focuses on how an organization establishes, communicates and monitors its cybersecurity risk management strategy, expectations and policy and is intended to address the implementation and oversight of a cybersecurity strategy.
Laurie Locascio, director of NIST and undersecretary of Commerce for Standards and Technology, noted that 10 years ago before NIST’s initial CSF launched, there was discussion about the elements of “govern,” but agency leaders “really weren’t ready yet to incorporate it.”
In version 2.0, the focus on supply chain risks covers how various types of technologies rely on complex landscapes for outsourcing involving geographically diverse routes for both private and public sectors offering a variety of services. In the updated CSF, NIST points to Cybersecurity Supply Chain Risk Management (C-SCRM) as a systemic process to manage exposure to cybersecurity risks by developing appropriate “strategies, policies, processes and procedures.”
Emily Phelps, VP, Cyware starts with this comment:
“By adding governance, NIST does a great job rounding out an already best-in-class framework. This will help organizations not only improve bidirectional information sharing between security teams, executives, and board members, it will help ensure consistent language and clear definitions around responsibilities.”
Greg Welch, CEO, CyberProtonics had this comment:
“Cybercrimes are on the rise with more sophistication and computing resources. We believe all data should be encrypted and pleased to see NIST provide organizations with risk assessment strategies and procedures that will help safeguard against malicious actors.”
Dave Ratner, CEO, HYAS served this comment:
“As a key part of ‘Govern’ in version 2.0 of the NIST cybersecurity framework, organizations need change how they have historically thought about security and focus on business and operational resiliency versus pure prevention. Especially with rampant supply chain attacks, not to mention constantly adapting tactics and techniques, criminals will unfortunately continue to infiltrate organizations of all sizes. Appropriate governance requires recognizing this fact across the entire business and all aspects of digital risk, and ensuring that cyber resiliency is implemented to efficiently identify, isolate, and address breaches before they expand and cause significant damage.”
John Benkert , CEO, Cigent adds this comment:
“The National Institute of Standards and Technology (NIST) recently added “Govern” as a new function to its Cybersecurity Framework, emphasizing the importance of governance in managing cybersecurity risks. This addition underscores the understanding that effective cybersecurity is not just about technology but also involves clear governance structures, policies, and processes to ensure comprehensive risk management. This is long overdue and has been talked about outside of NIST circles for many years. Cybersecurity has to start at the top levels of organizations which includes C-level executives including the CFO.
Troy Batterberry, CEO and Founder, EchoMark followed with this comment:
“A vast majority of cybersecurity events are caused by inadequate security practices that can be traced back directly to insufficient prioritization and funding. While moving the discussion into the board room will help in some cases, many organizations under financial stress will continue to make difficult tradeoff decisions that result in more breaches. When they do happen, the criminals involved extract money to fund further criminal activity. Breaches impact not only the business but the customers too. This unfortunately may be a situation where further regulatory requirements are needed to protect customers and ultimately the public.”
Stephen Gates, Principal Security SME, Horizon3.ai had this to say:
“In terms of responding to risk, NIST defines the available actions one could take as accepting, avoiding, mitigating, sharing, or transferring risk to others. And in the case of just-in-time and lean manufacturing, suppliers can potentially transfer their cyber risk to their buyers. Meaning, if you rely on a host of suppliers that help support your mission, an outage-inducing cyberattack on one of them will likely impact you as well.
“Soon, organization who have extensive supply chains will begin to require that their suppliers continuously access their own infrastructure to identify their truly exploitable weaknesses, verify those weaknesses have been remediated, and prove that their cyber risk is not being transferred to their buyers. Although the term “report” appears eight times in the recent NIST Cybersecurity Framework (CSF) 2.0, it does not necessarily define a reporting standard or framework to address the third-party supplier “risk transfer” issue that many are being subjected to.”
NIST updating its cybersecurity framework shows that they’re keeping up the ever changing cybersecurity landscape. Assuming that organizations are paying attention, this will benefit us all.
Share this:
Like this:
Related
This entry was posted on February 28, 2024 at 8:16 am and is filed under Commentary with tags NIST. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.