BLOG

NIST Drafts Major Update to Its Widely Used Cybersecurity Framework

Published On October 26, 2023

Author: Lucas Baiocchi

In the first major update since its inception, the National Institute of Standards and Technology (NIST) will be launching the Cybersecurity Framework (CSF) 2.0 in January 2024.[1] 

In addition to the traditional pillars of identify, protect, detect, respond, and recover, NIST CSF v2.0 will include a sixth pillar, governance. This new pillar emphasizes cybersecurity risk management strategy, expectations, and policy for senior leadership.  

NIST is also expanding the scope of the CSF from protecting critical infrastructure to all organizations, regardless of type or size.  

The new Govern pillar will include the following categories:  

  • Organizational Context (GV.OC): The circumstances - mission, stakeholder expectations, and legal, regulatory, and contractual requirements - surrounding the organization's cybersecurity risk management decisions are understood (formerly ID.BE) 
  • Risk Management Strategy (GV.RM): The organization's priorities, constraints, risk tolerance, and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions (formerly ID.RM) 
  • Cybersecurity Supply Chain Risk Management (GV.SC): Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders (formerly ID.SC). 
  • Roles, Responsibilities, and Authorities (GV.RR): Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated (formerly ID.GV-02). 
  • Policies, Processes, and Procedures (GV.PO): Organizational cybersecurity policies, processes, and procedures are established, communicated, and enforced (formerly ID.GV-01). 
  • Oversight (GV.OV): Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy. 

You can view a full list of the proposed changes on an interactive website provided by NIST.[2] 

If you want to participate in the public review, you can provide feedback up until November 4, 2023.[3]  

Meditology is updating its NIST CSF Security Risk Assessment (SRA) in anticipation of the January 2.0 release. We are here to support you on your NIST CSF 2.0 journey. 

 

 

Resources

1 https://www.nist.gov/news-events/news/2023/08/nist-drafts-major-update-its-widely-used-cybersecurity-framework 

2 https://csrc.nist.gov/Projects/Cybersecurity-Framework/Filters#/csf/filters 

3 https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-20/ipd 

Most Recent Posts
A Cybersecurity Professional's Guide to HIPAA-Compliant Online Tracking Read More
SOC 2 + HIPAA Examination Read More
Rise of Responsible AI Read More

Featured Blog Posts

A Cybersecurity Professional's Guide to HIPAA-Compliant Online Tracking

Read

SOC 2 + HIPAA Examination

Read

Rise of Responsible AI

Read

Navigating the Future: Unveiling the HITRUST AI Assurance Program

Read

Meditology Services

5256 Peachtree Road NE, Suite 190
Atlanta, Georgia 30341

SUBSCRIBE TO EXCLUSIVE IT RISK MANAGEMENT UPDATES

Sign up to receive the latest information on Meditology Services and IT Risk Management.

© 2024 Meditology Services, LLC. All Rights Reserved | Privacy Policy