Almost 10 years ago, the National Institute of Standards and Technology (NIST) released their five pillar Cybersecurity Framework (CSF). The purpose of the framework was to “help organizations understand, reduce and communicate about their cybersecurity risk”.
But with changes in the cybersecurity landscape and climate, they felt it was necessary to add a sixth pillar. Now not only does it better address how the cybersecurity world has changed in the last 10 years, but it will also make it easier for organizations to implement the CSF into their current cybersecurity policies. The framework’s lead developer Cherilyn Pascoe said, “With this update, we are trying to reflect current usage of the Cybersecurity Framework, and to anticipate future usage as well.”
The Sixth Pillar
Originally the CSF was developed for use by critical infrastructure organizations, such as the banking and energy industries. But now other industries are using the framework to include schools and small businesses and even some local and foreign governments. To address the expanded coverage in these organizations, the NIST felt it was necessary to add a sixth pillar – Govern. The main premise of the new pillar “emphasizes that cybersecurity is a major source of enterprise risk and a consideration for senior leadership”.
CSF 2.0 Update
With the expansion of the CSF – adding the sixth pillar – it can provide a cybersecurity framework to all organizations regardless of size or industry.
Before the update, the five pillars were identify, protect, detect, respond and recover. With the addition of the pillar govern, now organizations can use all six pillars to make and execute their own internal decisions that support their companies’ current cybersecurity strategy.
Another part of the update was the creation of profiles that will help small companies implement the CSF strategy more effectively and efficiently. This part of the update will include instructions on how organizations can leverage technology frameworks, standards, and guidelines … not only from the NIST but from other sources as well.
The Functions of Each Pillar
According to the NIST Cybersecurity Framework Reference Tool 2.0, the function of each pillar is to:
- Govern: Establish and monitor the organization’s cybersecurity risk management strategy, expectations and policy
- Identify: Help determine the current cybersecurity risk to the organization
- Protect: Use safeguards to prevent or reduce cybersecurity risk
- Detect: Find and analyze possible cybersecurity attacks and compromises
- Respond: Take action regarding a detected cybersecurity incident
- Recover: Restore assets and operations that were impacted by a cybersecurity incident.
The Reference Tool drills much deeper into each function, including subcategories and implementation examples, if more information is needed.
The final version of the CSF 2.0 will have much more information than noted here and is planned to be published and released in early 2024.