The National Institute of Standards and Technology (NIST) has taken a significant stride in fortifying cybersecurity measures with the release of the draft "NIST Cybersecurity Framework (#CSF) 2.0" for public commentary. First introduced in 2014 as a shield against cyber risks, this evolved version is a response to community input and the evolving security landscape.
Let's dive into the transformative aspects of this framework that aims to bolster digital resilience and if these points are at all relevant to SMBs.
Check out the full report here - https://www.nist.gov/cyberframework
Key Changes in Version 2.0:
1. Enhanced Implementation Guidance:
The CSF 2.0 ramps up its practicality with exemplars of action-oriented processes for achieving CSF Subcategories. This augmented guidance facilitates smoother implementation, ensuring that organizations can navigate the cyber terrain with confidence.
2. Enriched Framework Profiles: In its quest to empower organizations, version 2.0 introduces customizable templates for creating profiles and action plans. This tailoring enables a more personalized approach to cybersecurity, enhancing the framework's adaptability across diverse landscapes.
3. Embracing Governance:
A novel addition, the "Govern" function, spotlights cybersecurity governance as an essential pillar. This encompasses various aspects, including organizational context, risk management strategy, supply chain risk management, roles, responsibilities, authorities, policies, processes, procedures, and oversight.
4. Synergy with Privacy and Risk Management:
Recognizing the interconnectedness of cybersecurity, NIST bridges the gap by providing guidance on integrating the CSF with the NIST Privacy Framework and enterprise risk management. This seamless integration offers a holistic defense strategy.
5. Refined Assessment and Tier Clarity: Version 2.0 refines cybersecurity assessment by honing in on cybersecurity governance, risk management, and third-party considerations. The clarified tiers offer a sharper focus, enabling organizations to ascertain their security posture effectively.
6. Innovative "Improvement" Category: Breaking new ground, the Identify Function welcomes the "Improvement" category. This highlights the commitment to continuous enhancement, instilling a culture of proactive security measures.
Addressing Cybersecurity for Small Businesses
Small Business Compatibility
Is the Framework suitable for small businesses?
Absolutely. The approach was developed with the intention of being applicable across the spectrum of organizations, ranging from the largest corporations to the smallest enterprises.
NIST's Support for Small Businesses
Will NIST offer guidance tailored to small businesses? Are there resources available for organizations initiating their cybersecurity journey?
NIST has a dedicated and ongoing commitment to bolstering cybersecurity for small businesses. This commitment is translated into tangible support through websites, publications, interactive sessions, and events. An excellent resource in this endeavor is the Small Business Cybersecurity Corner website, which serves as a hub for consolidating various government and non-government cybersecurity resources tailored for small businesses. This includes valuable insights from the Federal Trade Commission (FTC) on how small businesses can harness the benefits of the Cybersecurity Framework.
NIST collaborates closely with key stakeholders such as the Small Business Administration, the National Initiative for Cybersecurity Education (NICE), the National Cyber Security Alliance, the Department of Homeland Security, the FTC, and other critical partners.
Small businesses can find substantial value in "Small Business Information Security: The Fundamentals" (NISTIR 7621 Rev. 1), a publication that offers a foundational understanding of pivotal cybersecurity activities. This publication is suggested as an excellent starting point for small businesses. The guide's structure aligns with the Framework's functions, providing a coherent and practical approach.
NIST's efforts to cater to the cybersecurity needs of small businesses are robust and comprehensive, ensuring that even the smallest ventures can embrace effective cybersecurity practices.
Want a head start in security?
How about a free Security Architecture Review