Wave #8 - NIST Releases CSF 2.0
Big changes... what now?
As most of you who follow me know, the CSF v2.0 was published yesterday (2/26/2024). The new version is the first update since 2018, and the first major update since initial publication in 2014. For the last decade, the CSF has been the de facto standard for cybersecurity risk management. STLLC uses the CSF to organize and communicate about cybersecurity in pretty much every context. It is a great tool, I was part of the author team for 1.0 and 1.1, and I continue to stand by it.
With the update, the major change is the addition of the “Govern” Function to the original five: Identify, Protect, Detect, Respond, and Recover. This addition pulls the CSF into alignment with other major NIST risk management frameworks, namely the Privacy Framework, the Artificial Intelligence Risk Management Framework, and NIST SP 800-221A (Information and Communications Technology Risk). All of these frameworks have a Govern function. Therefore, there is agreement across technology domains that Govern is critically important to the management of risk.
Alongside the release of the CSF v2.0, there were a bevy of additional resources I had the opportunity to either write or review. I am excited to help clients use this updated CSF to better their risk management practices. But the main question is: what now?
As far as STLLC is concerned, we are updating our tools, processes, and products to implement CSF v2.0. Current STLLC clients are already aligned with the CSF v2.0 given their adoption of the Cybersecurity Risk Management plans provided by STLLC. New clients will have the peace of mind knowing we are at the forefront of cybersecurity risk management given our partnership with NIST and our experience delivering standards based resources.
However, the question of “what now?” is larger than just STLLC. Long time colleague and friend Karen Scarfone and I have been working to streamline cybersecurity content for years. Karen is the preeminent cybersecurity writer with more author credits than you can shake a stick at. We agree that it is through concept systems, like the CSF v2.0, that there are opportunities for broader alignment in the cybersecurity space. We use tools like OLIR and CPRT to better connect the cybersecurity content and make it easier for practitioners to get the relevant information they need to manage today’s cybersecurity risks. As Karen adroitly pointed out in her recent blog post, “All the pieces are now in place so that we as a community can work together to create a concept system that benefits us all. Let's do it.”
Let’s do it indeed.