In a significant update to its cybersecurity guidance, the National Institute of Standards and Technology (NIST) introduced a refreshed version of its national cybersecurity framework. This marks the first major revision in a decade, aimed at refining the approach towards cybersecurity in both the public and private sectors, with a notable emphasis on supply chain and governance issues.
The newly revised framework, version 2.0, brings forth a comprehensive set of cybersecurity objectives designed for universal applicability. Organizations across various sectors can leverage this framework to enhance their understanding, evaluation, prioritization, and communication of cybersecurity strategies. A pivotal addition to the framework is the “govern” function, expanding the framework’s core functions to six. This addition complements the existing functions: identify, protect, detect, respond, and recover, by focusing on the strategic oversight and implementation of cybersecurity policies and practices.
The “govern” function is specifically tailored to address how an entity’s cybersecurity risk management strategy is formulated, disseminated, and supervised. It underscores the importance of integrating cybersecurity discussions into executive-level dialogues, highlighting a shift towards a more governance-oriented approach in cybersecurity management. Laurie Locascio, the director of NIST and under secretary of Commerce for Standards and Technology, emphasized this shift during an event hosted by Aspen Digital. She reflected on the evolution of cybersecurity governance, noting the initial hesitancy to incorporate such a dimension a decade ago, and the critical role it plays in today’s cybersecurity landscape.
A focal point of the updated framework is its comprehensive coverage of supply chain risks. It outlines the complexities involved in the outsourcing of technologies and services across geographically dispersed and diverse ecosystems, underscoring the need for robust cybersecurity supply chain risk management (C-SCRM). The C-SCRM is highlighted as a systematic approach to identifying, assessing, and mitigating cybersecurity risks within the supply chain through strategic planning and policy development.
Accompanying the framework, NIST also introduced Quick Start Guides (QSGs) to aid organizations in the practical implementation of the framework’s guidelines. These guides offer actionable insights and notional examples for achieving the desired outcomes specified in the CSF 2.0 subcategories, further enriching the framework’s utility and applicability.
In the development process of the updated framework, NIST engaged in an extensive consultation phase, incorporating feedback from a wide range of stakeholders. Although not all suggestions were incorporated verbatim, the collaborative effort led to a refined and consensus-based framework. According to Locascio, this process of open dialogue and transparency not only enhanced the framework but also fostered a sense of trust and community among stakeholders.
The release of the updated NIST cybersecurity framework represents a significant stride towards enhancing governance and supply chain security in an increasingly interconnected and digitalized global landscape. It provides a strategic blueprint for organizations aiming to bolster their cybersecurity defenses and manage supply chain risks more effectively.
Your go-to for supply chain report news updates: The Supply Chain Report. For international trade tools, see ADAMftd.com.
#NISTCybersecurityFramework #CybersecurityGovernance #SupplyChainRiskManagement #C-SCRM #CybersecurityStrategy #Framework2.0 #GovernFunction #CyberRiskManagement #DigitalSecurity #NISTUpdates #CybersecurityGuidelines #RiskAssessment #StrategicPlanning #StakeholderEngagement #GovernanceInCybersecurity #CyberDefense #QuickStartGuides #InterconnectedSecurity #PublicPrivateCollaboration
