The National Institute of Science and Technology (NIST) has released NIST Cybersecurity Framework (2.0) (Framework 2.0). NIST released two earlier versions of the Framework for Improving Critical Infrastructure Cybersecurity in 2014 and 2018, designed to put cybersecurity controls in a more functional framework to understand risk and focus cybersecurity efforts.
Framework 2.0 provides guidance to industry, government agencies, and other organizations on how to efficiently manage cybersecurity risks. It organizes cyber control areas into core functions that organizations should aim to have in place in their overall cybersecurity processes: Identify; Protect; Detect; Respond; and Recover. All five were in the older versions of the standard and Framework 2.0 has ushered in a new core function, Govern, identifying that cybersecurity is a key enterprise risk to be managed. Increased focus on cyber enterprise risk governance is a key theme we have seen echoed by other regulators, including the Securities and Exchange Commission, Federal Trade Commission, and New York Department of Financial Services.
Below, we briefly outline each of these core areas, starting with the…
