{"id":6747,"date":"2023-10-13T09:06:31","date_gmt":"2023-10-13T07:06:31","guid":{"rendered":"https:\/\/partnernews.sophos.com\/en-us\/?p=6747"},"modified":"2023-10-12T17:07:19","modified_gmt":"2023-10-12T15:07:19","slug":"nist-csf-cybersecurity-framework-2-0-is-just-around-the-corner","status":"publish","type":"post","link":"https:\/\/partnernews.sophos.com\/en-us\/2023\/10\/resources\/nist-csf-cybersecurity-framework-2-0-is-just-around-the-corner\/","title":{"rendered":"NIST CSF (Cybersecurity Framework) 2.0 is just around the corner"},"content":{"rendered":"<p>The US National Institute of Standards and Technology (NIST)\u00a0<a href=\"https:\/\/csrc.nist.gov\/News\/2023\/nist-releases-cybersecurity-framework-2-0-draft\" target=\"_blank\" rel=\"noopener\">has released a draft<\/a>\u00a0of the Cybersecurity Framework 2.0 for public comment before its 2024 release.<\/p>\n<p>What\u2019s changing? The scope of the framework has been expanded for use by all sectors and is not limited to critical infrastructure organizations anymore.<\/p>\n<p>The 2.0 draft addresses modern-day threats by bringing increased focus to issues such as supply chain security and elevating the importance of corporate governance as a new function in the framework.<\/p>\n<h2>Expanded focus from US critical infrastructure to global organizations<\/h2>\n<p>First issued by NIST in 2014, the \u201cFramework for Improving Critical Infrastructure Cybersecurity (CSF)\u201d focused on securing the United States\u2019 critical infrastructure. However, it proved helpful to organizations of all sizes, sectors, and stages of business.<\/p>\n<p>The Cybersecurity Framework 2.0 thus has removed the focus on critical infrastructure and changed the title to the commonly known term \u201cCybersecurity Framework (CSF).\u201d The change reflects the framework\u2019s relevance globally, embracing organizations worldwide.<\/p>\n<h2>Why is NIST 2.0 important for those in the know?<\/h2>\n<p>The NIST Cybersecurity Framework is a powerful tool for businesses and organizations looking to improve their information security and better manage their cybersecurity risks.<\/p>\n<p>By adopting a uniform approach of established standards and industry best practices, businesses can leverage the NIST CSF as proof that their networks and systems are protected from cyber threats.<\/p>\n<p>Adhering to the NIST CSF can lead to easy compliance with other security standards and frameworks, such as the PCI DSS and the Sarbanes-Oxley Act (SOX). Implementing the security rules listed under NIST 800-53 aligns an organization directly with the Federal Information Security Modernization Act (FISMA) and Federal Information Processing Standard Publication 200 (FIPS 200).<\/p>\n<h2>What\u2019s new in 2.0?<\/h2>\n<p>The CSF 2.0 draft includes many significant changes to bolster defenses against modern, advanced cyber threats. The following are the most notable changes:<\/p>\n<p>To emphasize cybersecurity governance,\u00a0<strong>a sixth function, Govern<\/strong>, has been added in the 2.0 draft. Govern joins the existing core five functions of the NIST CSF: Identify, Protect, Detect, Respond, and Recover. With this new function, the focus is on each organization\u2019s people, processes, and technology needed to make and execute cybersecurity decisions. While the previous CSF version specified what needed to be done, it lacked focus on the people overseeing those tasks and the policies and procedures governing those controls.<\/p>\n<p>The Govern function introduces\u00a0<strong>a new category for supply chain risk management<\/strong>\u00a0and secure software development. This category breaks into 10 subcategories and enables organizations to effectively identify, establish, manage, and monitor supply chain risk management processes.<\/p>\n<p>The 2.0 draft\u00a0<strong>updates the resources and Informative References<\/strong>\u00a0in the older CSF versions. This includes references to the NIST Privacy Framework, NICE Workforce Framework for Cybersecurity (SP 800-181), Secure Software Development Framework (SP 800- 218), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (SP 800-161r1), Performance Measurement Guide for Information Security (SP 800-55), Integrating Cybersecurity and Enterprise Risk Management (NIST IR 8286) series, and the Artificial Intelligence Risk Management Framework (AI 100-1).<\/p>\n<p>NIST has launched the\u00a0<strong>CSF 2.0 Reference Tool<\/strong>, which offers human- and machine-readable versions of the Cybersecurity Framework 2.0 and allows users to view and export portions of the draft\u2019s functions, categories, subcategories, and implementation examples using key search terms. In its finalized form, the tool will include Informative References, which will help show the relationship between the CSF and other cybersecurity frameworks, standards, guidelines, and resources.<\/p>\n<p>For easier adoption of the CSF, NIST provides increased guidance on CSF implementation using\u00a0<strong>Implementation Examples,<\/strong>\u00a0which offer real-world use cases and actional guidance for each function\u2019s subcategories, helping organizations effectively implement the framework. Similarly, Framework Profiles guidance has been considerably expanded to offer advice on how and for which purpose one could use the Profiles, helping organizations to tailor the CSF to their unique organizational contexts.<\/p>\n<h2>Timeline for the CSF 2.0 draft completion<\/h2>\n<p>NIST hosted the third and final workshop on CSF 2.0 on September 19 and 20, 2023. While it does not intend to release another draft of the CSF 2.0 for comment, public comments and feedback on the\u00a0<a href=\"https:\/\/csrc.nist.gov\/pubs\/cswp\/29\/the-nist-cybersecurity-framework-20\/ipd\">Draft of\u00a0the NIST Cybersecurity Framework 2.0<\/a>\u00a0and related implementation examples are accepted via\u00a0<a href=\"mailto:cyberframework@nist.gov\">cyberframework@nist.gov<\/a>\u00a0 until November 4, 2023.<\/p>\n<h2>Conclusion<\/h2>\n<p>Sophos\u2019s midyear\u00a0<a href=\"https:\/\/news.sophos.com\/en-us\/2023\/08\/23\/active-adversary-for-tech-leaders\/\">Active Adversary Report<\/a>\u00a0revealed the changing landscape of sophisticated cyber techniques like credential compromise, vulnerability exploits, AD server compromise, unauthorized RDP access, and more. The shift in the threat landscape is rapid, and organizations must adopt frameworks like the CSF to navigate the cyber-threat labyrinth.<\/p>\n<p>At a time when the threat landscape is evolving, a makeover of the world\u2019s leading cybersecurity guidance is inevitable. Built in close collaboration with the community, CSF 2.0 is expected to ensure that more organizations can manage and improve their cybersecurity programs to defend against advanced threats.<\/p>\n<p><strong>With Sophos, you can help<\/strong>\u00a0organizations in their efforts to align with the\u00a0<a href=\"https:\/\/assets.sophos.com\/X24WTUEQ\/at\/pcxhcspjp7w9f79m4xqg4zq3\/sophos-nist-compliance-card.pdf\">NIST CSF<\/a>\u00a0and other\u00a0<a href=\"https:\/\/www.sophos.com\/en-us\/solutions#compliance\">cybersecurity frameworks<\/a>. We offer a prevention-first approach that reduces breaches, adapts defenses in response to attacks, and improves detection and response. Enabled by our powerful XDR platform, Sophos offers cybersecurity as a service with Sophos MDR, delivering 24\/7 threat detection and response, expert-led threat hunting, and full-scale incident response \u2013 all available to be customized to an organization\u2019s specific needs.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>With Sophos, you can help organizations in their efforts to align with the NIST CSF and other cybersecurity frameworks.<\/p>\n","protected":false},"author":59,"featured_media":6748,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3],"tags":[119,276],"coauthors":[98],"class_list":["post-6747","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-resources","tag-compliance","tag-nist"],"jetpack_featured_media_url":"https:\/\/partnernews.sophos.com\/en-us\/wp-content\/uploads\/sites\/3\/2023\/10\/NIST.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/posts\/6747","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/users\/59"}],"replies":[{"embeddable":true,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/comments?post=6747"}],"version-history":[{"count":1,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/posts\/6747\/revisions"}],"predecessor-version":[{"id":6749,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/posts\/6747\/revisions\/6749"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/media\/6748"}],"wp:attachment":[{"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/media?parent=6747"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/categories?post=6747"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/tags?post=6747"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/coauthors?post=6747"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}