Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: NIST Cybersecurity Framework 2.0 is Live!
Quick Take
On this episode of Compliance Unfiltered – It’s finally here! NIST Cybersecurity Framework 2.0 has finally been released and the CU guys are going to give you the full breakdown.
What’s new? What’s different? What is going to make the biggest difference in the way you approach NIST CSF?
All these answers and more on this week’s Compliance Unfiltered!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the Hemi inside of your compliance muscle car, Mr. Adam Goslin.
How the heck are you, sir? I’m doing good, Todd. How about yourself? Then I can’t complain. Today, we’re going to chat about something that is really exciting. I always like new stuff here on Compliance Unfiltered, and I’m sure our listeners do, too. Today, we’re going to chat about the new NIST Cybersecurity Framework 2 .0. Tell us a little bit more about the updates.
Adam, at a high level. Sure. So the NIST Cybersecurity Framework, short form to CSF, it just had its first major update since it was introduced initially in 2014.
For that reason alone, it’s kind of a big deal. There’s been a lot changing in the cybersecurity and compliance space over the course of the last decade. And a lot of people would say that this update was well overdue, shall we say. So NIST spent several years in discussions, public discourse. And their goal was to help all organizations with managing and reducing risk, not just those in critical infrastructure. That was kind of the original audience for kind of the first version, if you will. So, you know, considering that the, you know, the NIST frameworks are some of the most commonly used standards in the cybersecurity industry. You know, it’s a good thing for us to chat through changes that they made to the standard and what they mean for, you know, for your organization, you know, etc. And, you know, really, if you weren’t already compliant under, you know, the original NIST framework, you know.should you, should you go about doing it at this stage of the game?
Well, give us more insight or, excuse me, why did they issue these updates in the first place? I know that it’s not just about having a new version of the standard. What was the real kind of catalyst for the changes? Yeah, so the overall objective is to provide a framework that organizations can leverage in their drive to improve their cybersecurity posture. So unlike CMMC, the NIST CSF 2 .0 isn’t geared only to government or DOD vendors. Instead, it’s really a framework that’s intended to be appropriate for any organization. The NIST CSF was originally called the Framework for Improving Critical Infrastructure Security. Doesn’t really roll off the tongue. No, it’s a little wordy. What is that, ICIC or something? I don’t know. Anyway, so as the name indicates, it was originally directed at critical infrastructure organizations. But when they moved over to 2 .0, then they then changed the name of it over to the cybersecurity framework, reflecting that shift to broader usage. And NIST has generated guidance that’s designed to cover organizations of all sizes, sectors, maturity levels. They’re placing an emphasis on really enabling smaller organizations to effectively use NIST as a framework for their organization.
Well, give us more insight as to the expanded and updated controls, what did they actually change? Yeah, so under the prior version, the NIST framework included these five core functions or control areas. Identify, protect, detect, respond, recover. And for identify, it was really looking at discovering elements that would potentially cause risk to the business, vulnerabilities, security weaknesses, etc., and to protect. They were implementing safeguards to reduce those cybersecurity risks. Detacked was a section governing discovery of exploits that could potentially cause risk in the future or are causing risk now, zero days, in progress attacks, that type of thing. Respond was to take action against discovered areas of potential compromise. And then recover was, you know, restoring operations to a pre -incident state using disaster recovery or business continuity plans. NIST did some restructuring of those five core functions, outlined some key goals for each of those, but the big change was an introduction of a new sixth function, namely govern. So that’s where you’re focusing on establishing the cybersecurity policy, expectations, and strategy. So the governed function, it consists of several categories that were shifted from the previous five core functions, and this then also expanded the governed function to kind of make it more robust. So the purpose for govern is to better address the cybersecurity risk management, specifically the approach to risk management, expected outcomes, required policy statements, etc. And so the new function reflects kind of NIST commitment to increasing the importance of governance under the NIST CSF2O framework, aligning cybersecurity with the overall kind of enterprise risk. So outside of creating that new governed function, they also align key goals for each of the functions so that the framework’s more coherent, providing linkages between the various core functions. You know, and the idea is that each of those core functions is kind of its own independent component of its own independent component of the overall cybersecurity strategy.
Well, let’s talk about profile changes. Well, they implemented a greater depth around what they call profiles. So a profile is an alignment of the functions, categories, and subcategories with the business requirements, risk tolerance, and resources of the organization. So, you know, the new version is recommending, you know, organizations will create the organizational profiles describing the company’s current cybersecurity. maturity, as well as their target maturity, and the idea is to set a goal and then define a plan to get there. So the NIST 2 .0 also introduces community profiles. So those address shared cybersecurity interests and goals of the organization, of organizations in the same industry with similar technologies or with similar types of threats. So the version 2 .0 includes some in -depth examples of profiles, detailed steps for creating and using them. NIST also provides a profile template so that you can generate profiles that will help achieve the outcomes that are detailed in those core function requirements.
Now we’ve spoken about perspective certs before. Prescriptive? Excuse me, prescriptive certs before. Also, perspective certs before. How prescriptive is the new standard? Yeah, just a just , just a couple a couple letters different you were close the Hey, listen if I didn’t give you crap and somebody everybody would think there’s something wrong with me. So No, the you know that highly prescriptive Standards are ones that are very explicit in terms of their requirements There’s you know, there’s little wiggle room for you know Kind of forging your own path because everything’s kind of prescribed for you If you’re looking for a really highly, you know prescriptive standard, that’s robust and comprehensive Then you know PCI DSS is typically where I’ll point people to more often than not people get confused about using that because well, that’s a standard for credit cards Well, guess what, you know go use PCI DSS with a scope of sensitive data and substitute every you know credit card reference or card data reference over to sensitive data and both you’ve got something. It’s you know readily leverageable You know, you kind of go to the other end of the spectrum must use HIPAA as an example It is astoundingly directional You know kind of gives you a you know, it points you in the right general direction to an end goal But you know, there’s, there’s less clarity around well, how exactly do I go about getting there? You know, that’s a you know, it’s, it’s how you get there is less important to that stand You know to that standard then the question of whether your system measures up to that end goal. So in terms of Kind of the NIST CSF 2 .0 You know and where it falls in the into the spectrum, you know, it’s certainly not as directional as HIPAA, but you know in the same sense, it’s nowhere near as prescriptive as something like PCI,
you know, would be, you know, the more directional the standard, then the more that you have to do, put a lot of thought into how do I wanna go about doing this and planning out for how am I gonna go about implementing this in a manner that is going to be deemed acceptable under the standard.
So, you know, if you’re going up against a prescriptive standard already, then the good news is, is that the lion’s share of the, you know, of the work is already done. You know, you’re gonna find it a lot easier to, you know, to map your existing control sets. Thank you. you know, from a highly prescriptive standard down toward a more of a directional standard, you know, because you’ve already got all those controls in place. You know, if your organization is subject to, you know, a multitude of different standards, you know, one of the recommendations I give to folks is, you know, the TCT portal does have the capability for doing mappings between your various standards, and it will automatically, you know, assist organizations with being able to keep their multiple standards organized, getting them, you know, kind of aligned with one another, etc.
Well, how should organizations go about thinking through if NIST CSF 2 .0 was right for them? Well, the one important element to keep in mind is that it isn’t a required framework for a particular industry. It’s a standard that’s available for use. You know, the broad applicability doesn’t necessarily mean it’s going to be a best fit for every organization out there.
You know, kind of the nuances that, you know, that come into play with, you know, with the kind of directional capabilities you get with NIST CSF 2 .0, it can make it very frustrating for, you know, for organizations to implement, you know, especially if they’re new to the compliance arena. You know, for organizations that are already compliant with something that’s prescriptive adopting, you know, something like NIST CSF 2 .0 layering that on, it’s not a difficult task. You know, there just won’t, there won’t be, you know, much benefit to that organization that PCI isn’t already covering, you know, type of a thing.
So, you know, one thing for folks to consider when they’re about implementing, you know, NIST CSF 2 .0, you know, NIST has as a multitude of standards. They tend to be kind of tightly coupled with one another. So, you know, if you’re going down the path of implementing one of the NIST standards, you know, then you’re gonna find, you know, the controls are referencing other NIST standards. And so, you know, trying to get compliant with one means that, you know, now we’re cross mapping, you know, these various other standards. I described it to people as kind of, you know, you’re heading into, you know, almost like a spiderweb, right? You know, this standard leads to that one and that standard references these two. And, you know, it seems like it’s just, you know, kind of splaying out and it starts to get, you know, pretty challenging. as you kind of go down that path, especially for the uninitiated, which is similar, similarly the case with NIST CSF 2 .0. So more often than not, the biggest reason organizations are heading down the NIST CSF compliance route is because maybe they’ve got a key client or a key prospect that happens to have that as one of their requirements for that they wanna have implemented for the folks that they work with. That’s usually one of the, kind of one of the driving factors, if you will.
Well, which organization should be using a well -qualified security and compliance consultant? Well, if your organization doesn’t have it, and let me put it to you this way, the vast majority of, especially, I’m gonna call it, small to mid -sized organizations, it’s amazingly unlikely that they have somebody on staff that has been to the compliance rodeo across numerous standards, across numerous industries, across numerous kind of configurations and setups, etc. And we’ve got other, we’ve done a lot of work at GCT about trying to guide people away from just nominating some poor soul in IT. Just because they can spell IT doesn’t mean that they’re necessarily the expert in security and compliance. And a lot of people in kind of the various realms of either ownership or leadership at organizations don’t seem to kind of make that connection. But if you are very likely, as most organizations, not to have somebody that is an expert in security and compliance, across a bunch of different standards, I would absolutely recommend that they go down the path, get some type of a security compliance consultant to give you a hand with navigating the waters. You know, otherwise, you’re going to find yourself, you know, digging through, you know, spending a whole bunch of time digging through the spider webs of the standard and trying to get your arms around it.
You know, I’m just trying to get, you know, the solid understanding of the framework is going to be a job in and of itself. And that’s before you even start heading down that path. You know, being able to rely on a compliance consultant that you can confide in that’ll be on your side that’s going to give you, you know, good advice, you know, etc.
You know, if they’ve been down this path, it’s going to be a huge shortcut. And it’ll go a long way to, to kind of helping organizations save their, their time, save their precious resources, you know, if you will, and, you know, get through things in a far more sane fashion, shall we say.
Okay. Parting shots and thoughts for the folks this week, Adam. Well, as you go down the rabbit hole of evaluating the NIS CSF 2 .0, it does come with important updates and expansions that companies can benefit from. Not every company needs NIS CSF 2 .0, but it’s a solid framework for those organizations that need to fulfill those contractual obligations. So, you know, we do have a link off of our website blog on this topic out to the NIS CSF 2 .0 resource center, so if they want to go click there, they can check out the blog and there’s a link in that blog there. But that’ll basically bring them to the NIST site. I’ll tell you what, I’ll just read it off while we’re here. It’s www.nist.gov forward slash cyber framework. So if they… No free ads. Yeah, yeah. And I’ll just say, I’ll give the listeners, make it a little bit easier on them. But no, if you go there, that’s NIST official website for CSF 2 .0. There’s all sorts of various things on there, helpful tools, resources to be able to leverage to get started, etc. But again, I would underscore to organizations and especially the uninitiated. I went through 18 dimensions of health the first time that I had to go down the security and compliance path, even as somebody that had been in the IT space for a good several decades before I was faced with this opportunity. And I’ll tell you what, man, that was seriously eye -opening. So take advantage of getting the directional guidance and assistance of a good consultant. That’s going to go a long way to making things far more sane as you head down the path.
Tremendous. And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow, and I’m Adam Goslin. I hope we help to get you fired up to make your compliance suck less.