What is the NIST Cyber Security Framework?
The National Institute of Standards and Technology (NIST) is part of the U.S. Department of Commerce, its mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
The NIST Cybersecurity Framework is designed to help organizations of all sizes and sectors— including industry, government, academia, and nonprofit — to manage and reduce their cybersecurity risks. It is useful regardless of the maturity level and technical sophistication of an organization’s cybersecurity programs. Nevertheless, the CSF does not embrace a one-size-fits all approach. Each organization has both common and unique risks, as well as varying risk appetites and tolerances, specific missions, and objectives to achieve those missions. By necessity, the way organizations implement the CSF will vary.
What is the NIST Cyber Security Framework version 2.0?
The NIST Cybersecurity Framework (CSF) 2.0 was published on February 26, 2024. Building on previous versions, NIST CSF 2.0 contains new features that highlight the importance of governance and supply chains. Special attention is paid to ensure that the CSF is relevant and readily accessible by smaller organizations as well as their larger counterparts.
The NIST CSF 2.0 describes high-level cybersecurity outcomes that can be used by any organization to better understand, assess, prioritize, and communicate its cybersecurity efforts. The CSF does not prescribe how outcomes should be achieved. Rather, it links to online resources that provide additional guidance on practices and controls that could be used to achieve those outcomes.
What are the main functions of the NIST Cyber Security Framework version 2.0?
The main functions of the NIST Cybersecurity Framework 2.0 are Govern, Identify, Protect, Detect, Respond, and Recover. These six functions provide a structured approach to managing cybersecurity risk throughout an organization's lifecycle.
Here's a more detailed look at each function:
- GOVERN (GV):
The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored. The GOVERN Function provides outcomes to inform what an organization may do to achieve and prioritize the outcomes of the other five Functions in the context of its mission and stakeholder expectations. Governance activities are critical for incorporating cybersecurity into an organization’s broader enterprise risk management (ERM) strategy. GOVERN addresses an understanding of organizational context; the establishment of cybersecurity strategy and cybersecurity supply chain risk management; roles, responsibilities, and authorities; policy; and the oversight of cybersecurity strategy. - Identify (ID):
The organization’s current cybersecurity risks are understood. Understanding the organization’s assets (e.g., data, hardware, software, systems, facilities, services, people), suppliers, and related cybersecurity risks enables an organization to prioritize its efforts consistent with its risk management strategy and the mission needs identified under GOVERN. This Function also includes the identification of improvement opportunities for the organization’s policies, plans, processes, procedures, and practices that support cybersecurity risk management to inform efforts under all six Functions. - Protect (PR):
Safeguards to manage the organization’s cybersecurity risks are used. Once assets and risks are identified and prioritized, PROTECT supports the ability to secure those assets to prevent or lower the likelihood and impact of adverse cybersecurity events, as well as to increase the likelihood and impact of taking advantage of opportunities. Outcomes covered by this Function include identity management, authentication, and access control; awareness and training; data security; platform security (i.e., securing the hardware, software, and services of physical and virtual platforms); and the resilience of technology infrastructure. - Detect (DE):
Possible cybersecurity attacks and compromises are found and analyzed. DETECT enables the timely discovery and analysis of anomalies, indicators of compromise, and other potentially adverse events that may indicate that cybersecurity attacks and incidents are occurring. This Function supports successful incident response and recovery activities. - Respond (RS):
Actions regarding a detected cybersecurity incident are taken. RESPOND supports the ability to contain the effects of cybersecurity incidents. Outcomes within this Function cover incident management, analysis, mitigation, reporting, and communication. - Recover:
Assets and operations affected by a cybersecurity incident are restored. RECOVER supports the timely restoration of normal operations to reduce the effects of cybersecurity incidents and enable appropriate communication during recovery efforts.
Which organizations can use the NIST CSF 2.0?
The NIST CSF 2.0 framework was developed with a focus on industries vital to national and economic security, including energy, banking, communications and defense. It has since proven flexible enough to be adopted voluntarily by large and small companies and organizations across all industry sectors, as well as by federal, state and local governments.
What are the penalties for non-compliance with the NIST CSF 2.0?
Adherence to the NIST Cybersecurity Framework 2.0 is voluntary. However, proof that an organization follows the NIST Framework’s best practices may provide a layer of defense against fines by regulations such as GDPR by showing good faith efforts of an organization in information security.
How Thales helps with NIST CSF 2.0 compliance?
Thales can help organizations comply with the NIST CSF 2.0 by addressing essential cybersecurity requirements and automating security, reducing the burden on security and compliance teams. Learn more here.
Other key data protection and security regulations
PCI HSM
MANDATE | ACTIVE NOW
The PCI HSM specification defines a set of logical and physical security compliance standards for HSMs specifically for the payments industry. PCI HSM Compliance certification depends on meeting those standards.
DORA
REGULATION | ACTIVE NOW
DORA aims to strengthen the IT security of financial entities to make sure the financial sector in Europe is resilient in the face of the growing volume and severity of cyber-attacks.
Data Breach Notification Laws
REGULATION | ACTIVE NOW
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.
GLBA
REGULATION | ACTIVE NOW
The Gramm-Leach-Bliley Act (GLBA)--also known as the Financial Services Modernization Act of 1999--requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.