What is the NIST Cyber Security Framework?
The National Institute of Standards and Technology (NIST) is part of the U.S. Department of Commerce, its mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life.
The NIST Cybersecurity Framework is designed to help organisations of all sizes and sectors – including industry, government, academia and non-profit – to manage and reduce their cybersecurity risks. It is useful regardless of the maturity level and technical sophistication of an organisation's cybersecurity programmes. Nevertheless, the CSF does not embrace a one-size-fits-all approach. Each organisation has both common and unique risks, as well as varying risk appetites and tolerances, specific missions and objectives to achieve those missions. By necessity, the way organisations implement the CSF will vary.
What is the NIST Cyber Security Framework version 2.0?
The NIST Cybersecurity Framework (CSF) 2.0 was published on February 26, 2024. Building on previous versions, NIST CSF 2.0 contains new features that highlight the importance of governance and supply chains. Special attention is paid to ensure that the CSF is relevant and readily accessible by smaller organisations as well as their larger counterparts.
The NIST CSF 2.0 describes high-level cybersecurity outcomes that can be used by any organisation to better understand, assess, prioritise and communicate its cybersecurity efforts. The CSF does not prescribe how outcomes should be achieved. Rather, it links to online resources that provide additional guidance on practices and controls that could be used to achieve those outcomes.
What are the main functions of the NIST Cyber Security Framework version 2.0?
The main functions of the NIST Cybersecurity Framework 2.0 are Govern, Identify, Protect, Detect, Respond and Recover. These six functions provide a structured approach to managing cybersecurity risk throughout an organisation's lifecycle.
Here's a more detailed look at each function:
- GOVERN (GV):
The organisation's cybersecurity risk management strategy, expectations and policy are established, communicated and monitored. The GOVERN Function provides outcomes to inform what an organisation may do to achieve and prioritise the outcomes of the other five Functions in the context of its mission and stakeholder expectations. Governance activities are critical for incorporating cybersecurity into an organisation's broader enterprise risk management (ERM) strategy. GOVERN addresses an understanding of organisational context; the establishment of cybersecurity strategy and cybersecurity supply chain risk management; roles, responsibilities and authorities; policy; and the oversight of cybersecurity strategy. - Identify (ID):
The organisation's current cybersecurity risks are understood. Understanding the organisation's assets (e.g., data, hardware, software, systems, facilities, services, people), suppliers and related cybersecurity risks enables an organisation to prioritise its efforts consistent with its risk management strategy and the mission needs identified under GOVERN. This Function also includes the identification of improvement opportunities for the organisation's policies, plans, processes, procedures and practices that support cybersecurity risk management to inform efforts under all six Functions. - Protect (PR):
Safeguards to manage the organisation's cybersecurity risks are used. Once assets and risks are identified and prioritised, PROTECT supports the ability to secure those assets to prevent or lower the likelihood and impact of adverse cybersecurity events, as well as to increase the likelihood and impact of taking advantage of opportunities. Outcomes covered by this Function include identity management, authentication and access control; awareness and training; data security; platform security (i.e., securing the hardware, software and services of physical and virtual platforms); and the resilience of technology infrastructure. - Detect (DE):
Possible cybersecurity attacks and compromises are found and analysed. DETECT enables the timely discovery and analysis of anomalies, indicators of compromise and other potentially adverse events that may indicate that cybersecurity attacks and incidents are occurring. This Function supports successful incident response and recovery activities. - Respond (RS):
Actions regarding a detected cybersecurity incident are taken. RESPOND supports the ability to contain the effects of cybersecurity incidents. Outcomes within this Function cover incident management, analysis, mitigation, reporting and communication. - Recover:
Assets and operations affected by a cybersecurity incident are restored. RECOVER supports the timely restoration of normal operations to reduce the effects of cybersecurity incidents and enable appropriate communication during recovery efforts.
Which organisations can use the NIST CSF 2.0?
The NIST CSF 2.0 framework was developed with a focus on industries vital to national and economic security, including energy, banking, communications and defence. It has since proven flexible enough to be adopted voluntarily by large and small companies and organisations across all industry sectors, as well as by national, regional and local governments.
What are the penalties for non-compliance with the NIST CSF 2.0?
Adherence to the NIST Cybersecurity Framework 2.0 is voluntary. However, proof that an organisation follows the NIST Framework's best practices may provide a layer of defence against fines by regulations such as GDPR by showing good faith efforts of an organisation in information security.
How Thales helps with NIST CSF 2.0 compliance
Thales can help organisations comply with the NIST CSF 2.0 by addressing essential cybersecurity requirements and automating security, reducing the burden on security and compliance teams. Learn more here.
Other key data protection and security regulations
PCI HSM
MANDATE | ACTIVE NOW
The PCI HSM specification defines a set of logical and physical security compliance standards for HSMs specifically for the payments industry. PCI HSM Compliance certification depends on meeting those standards.
DORA
REGULATION | ACTIVE NOW
DORA aims to strengthen the IT security of financial entities to ensure the financial sector in Europe is resilient in the face of the growing volume and severity of cyber-attacks.
Data breach notification laws
REGULATION | ACTIVE NOW
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction, but almost universally include a "safe harbour" clause.
GLBA
REGULATION | ACTIVE NOW
The Gramm-Leach-Bliley Act (GLBA)--also known as the Financial Services Modernization Act of 1999--requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.