Celebrating Governance in CSF

The NIST Cybersecurity Framework version 2.0 has finally landed! I'm really excited about the new Govern function that has been added. This Govern function has long been missing from the framework and seems to borrow a lot from higher level frameworks like ISO27001. Adding in the governance layer emphasizes the need for both a formalized framework for security and buy-in from stakeholders across the organization.

Organizational Context

Seeing that NIST has actually made the new "Organizational Context" category the first set of controls in their framework fills me with confidence that the age of holistic security programs is here. It requires that security is integrated across the organization. All five subcategories in this section include the word "understood" in their description making it an imperative that we communicate what we do in terms everyone understands and appreciates.? We've all known that security is everyone's responsibility for a while now but this framework will give us the language and tools to bring all the departments together.

Every organization is working with limited resources to defend against seemingly infinite bad actors. We can all now rely on the expertise brought to the table by this framework to develop a security roadmap and program informed by risks to the organization. It also helps to de-duplicate efforts by requiring that roles are defined for all needs and functions in the information security program (under the GV.RR category).

Supply Chain Risk

The GV.SC category directly addresses the source of so many security incidents these days by creating controls around an organization's supply chain. The recent headlines about a single company being attacked taking out pharmacies across the US underscores the importance of this category. No organization is an island these days and no organization exists solely on its own merits. We all need to take into account the risks our partners pose to us and either mitigate those risks or at least take them into account in our BC/DR or IRP policies.

Some of these new controls will seem daunting to organizations with smaller security programs. For example, GV.RM-06 requires a "standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks." Following on from previous versions, NIST will be releasing Community Profiles to help organizations implement this. With the new emphasis on broadening the applicability of CSF, these profiles will hopefully include plenty applicable to private sector companies.