(Image source: Security Affairs.co)
In 2014, the National Institute of Standards and Technology (NIST) created a Cybersecurity Framework (CSF) that guides organizations in their journey towards developing secure computer systems. It sets a flexible foundation that all businesses can follow and sculpt to their needs. For this reason, it is extremely successful and is employed by a large number of organizations.
This Framework is divided into five parts including identifying capabilities and vulnerabilities, protecting and securing vital infrastructure, detecting security threats as soon as possible, responding to breaches properly and recovering quickly and efficiently with as little downtime as possible.
Five years later, in April of 2019, NIST released the updated Cybersecurity Framework Version 1.1 which aims to identify and improve some key areas in it. The Roadmap for CSF Version 1.1 states that in an effort to make the most of the Framework, NIST collaborated with both public and private entities to "facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks."
Accordingly, the research that went into the new version includes but is not limited to a Request for Information (RFI), an analysis of the RFI's results, workshops and conferences discussing the Framework, a draft proposal of Version 1.1, along with a Request for Comment (RFC). NIST describes the CSF as a "living document and will continue to be updated and improved with the input and feedback from industry, government, and academia."
Some of the changes include:
Authentication and Supply Chain Risk Management have been added to the Framework
The research that emerged from ongoing initiatives is now embodied in version 1.1 of the Framework. This includes topics such as Authentication, as well as Supply Chain Risk Management. Similarly, topics listed in the aforementioned Roadmap are likely to be evolved and incorporated into future versions of the Framework. They include the lifecycle of cyber attacks, IoT and cybersecurity in relation to small businesses.
The Framework is now adopted and leveraged by federal agencies
Significantly, some of the changes made to the Framework are legal in nature. A number of federal requirements are now related to how federal agencies adopt cybersecurity and the Framework. This is just one of many examples of how NIST and the Framework are leveraged by the federal government.
The CSF is now adopted internationally
Additionally, because the Framework adopts and references many internationally accepted standards and practices, organizations within and outside the US can now leverage the Framework globally. One of the struggles commonly faced by international enterprises is the lack of a common cybersecurity taxonomy and standards. Different countries are trying to create their own, but the Framework makes global collaboration possible.
The Framework is becoming more accessible through translation
Moreover, NIST has played an active role in government-to-government collaborations that promote and support international use of the Framework. As a result, the CSF has been translated into at least four languages and is in the process of being translated into many others. Additionally, countries like Uruguay are basing their own frameworks on the CSF.
The Framework provides guidance to small businesses
The importance of small businesses to a country's economy is undeniable. Consequently, vulnerabilities that affect even a small number of them can lead to the downfall of a large part of the private sector. NIST recognizes this and is currently working with the federal government to raise awareness on cybersecurity and the Framework through webinars and other techniques. It has recently launched the Small Business Cybersecurity Corner, a site that offers small businesses clear, consistent and easy-to-implement tips to better protect themselves from cyber crime. NIST also recognizes that accessibility and awareness are some of the greatest barriers to cyber security. Accordingly, it strives to provide Framework users with valuable information, ranging from success stories, FAQs, events, webinars and other additional resources via its online learning catalog.