2 min read

NIST Releases Cybersecurity Framework (CSF) 2.0

Tshedimoso Makhene March 07, 2024

industry news

NIST Releases Cybersecurity Framework (CSF) 2.0

NIST has released an updated cybersecurity guideline addressing governance and supply chain risks.

What happened

After extensive deliberation, the National Institute for Standards and Technology (NIST) has released Cybersecurity Framework 2.0. This updated framework expands beyond its original focus on critical infrastructure to include the concerns of various organizations.

Initially introduced in 2014, the framework aimed to mitigate cybersecurity risks, particularly for critical infrastructure, under a presidential executive order. The new version, CSF 2.0, retains the original five functions (identify, protect, detect, respond, and recover) while adding a sixth function, govern, and addressing supply chain risks. Developed with stakeholder input and reflecting contemporary cybersecurity challenges, CSF 2.0 offers a reference tool, a searchable catalog, and extensive guidance to assist organizations of all sizes implement the framework effectively.

Other news: NIST finalizes HIPAA Security Rule guidance amidst rising breach stats

Going deeper

The Cybersecurity Framework (CSF) is a set of guidelines, best practices, and standards developed by the National Institute of Standards and Technology (NIST) to help organizations manage and reduce cybersecurity risks. It provides a structured approach for organizations to assess and improve their cybersecurity posture by identifying, protecting, detecting, responding to, and recovering from cybersecurity threats and incidents.

According to CISCO, CSF “makes it easier to understand cyber risks and improve your defenses.” CSF guidelines make “cyber-risk management easier, so that you can take the right action right away. It also simplifies the language of cybersecurity so that everyone can understand--both inside and outside your organization.”

What was said

Kevin Stine, chief of NIST's Applied Cybersecurity Division told DarkReading that the guideline was “developed by working closely with stakeholders and reflecting the most recent cybersecurity challenges and management practices, this update aims to make the framework even more relevant to a wider swath of users in the United States and abroad.”

Why it matters

The release of Cybersecurity Framework (CSF) 2.0 expands CSF guidance beyond critical infrastructure to help various organizations address cybersecurity risks. This update includes fresh insights into managing modern threats, introduces a new focus on governance, and addresses the growing concern of supply chain risks. By collaborating with stakeholders, CSF 2.0 ensures relevance and credibility, while its practical tools and resources assist organizations of all sizes in implementing effective cybersecurity measures.

CSF 2.0 is a valuable step forward in helping organizations strengthen their cybersecurity resilience in today's complex threat environment.

FAQs

How does CSF 2.0 apply to healthcare?

CSF 2.0 offers healthcare organizations a structured approach to cybersecurity risk management, helping them safeguard patient information, comply with regulations, mitigate supply chain risks, promote interoperability, and strengthen governance practices.

Is CSF compliance mandatory in healthcare?

No, compliance with the CSF is not mandatory in healthcare. CSF is a voluntary framework developed by the NIST to help organizations manage and reduce cybersecurity risks. While CSF provides valuable guidance and best practices for improving cybersecurity posture, its adoption is not legally mandated for healthcare organizations.

Who uses the CSF?

The NIST CSF was originally intended for use by critical infrastructure sectors like healthcare, utilities, and manufacturers. That's why its official title is the Framework for Improving Critical Infrastructure Cybersecurity. But organizations of all sizes, all around the world have recognized its value and adopted the framework.

See also: Healthcare and cybersecurity