From malware.news
Summary
NIST Cybersecurity Framework (CSF) 2.0 will support organisations that are having difficulties grappling the complexities of identifying, managing cyber threats, protecting assets, as well as responding and recovering from incidents.
This blog post will cover key updates addressing some of the NIST 1.1 shortfalls, why organisations should transition and key considerations when adopting CSF 2.0.
A broader spectrum and adoption for all
The adoption of NIST CSF 1.1 by various organisations outside of the US critical infrastructure highlights its effectiveness in creating a shared language for managing cyber security risks.
However, NIST CSF 1.1 also had some limitations in its design and adoption:
- Complexity for small businesses: Although CSF 1.1 is designed to be scalable, its complexity and the broad scope of its guidelines can be overwhelming for small to medium-sized businesses that may not have the resources or expertise to fully implement the framework.
- Disparities in control resolution: While the flexibility of CSF 1.1 is a strength because it allows for broad application, it can also be a weakness. Subcategories often either were very granular and specific (e.g. PR.PT-2: removable media is protected) or very high level (e.g. PR.AC-3: Remote access is managed). As a result, some areas of the framework may have been interpreted by each organisation very differently.
- Changes to technological and threat landscape: Since CSF 1.1 was released in 2018, new types of cyber threats and technology have emerged. Additionally, businesses have become more reliant on software vendors, increasing their exposure to supply chain attacks.