|Image credit: N. Hanacek/NIST
Those who are familiar with the CNYRIC’s Data Privacy and Security Service (DPSS) may also be familiar with the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF). The original iteration of the framework, which was created in 2014, stretched 108 standards across five core tenets: Identify, Protect, Detect, Respond, and Recover. These best-practice standards were designed to help entities effectively safeguard their own cybersecurity framework(s), while promoting strategies for effectively dealing with cybersecurity breaches, learning from them, and working to alert affected stakeholders.
- The framework’s scope has expanded - explicitly - from protecting critical infrastructure, such as hospitals and power plants, to providing cybersecurity for all organizations regardless of type or size. This difference is reflected in the CSF’s official title, which has changed to “The Cybersecurity Framework,” its colloquial name, from the more limiting “Framework for Improving Critical Infrastructure Cybersecurity.”
Until now, the CSF has described the main pillars of a successful and holistic cybersecurity program using five main functions: identify, protect, detect, respond and recover. To these, NIST now has added a sixth, the govern function, which covers how an organization can make and execute its own internal decisions to support its cybersecurity strategy. It emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial and other risks as considerations for senior leadership.
The draft provides improved and expanded guidance on implementing the CSF, especially for creating profiles, which tailor the CSF for particular situations. The cybersecurity community has requested assistance in using it for specific economic sectors and use cases, where profiles can help. Importantly, the draft now includes implementation examples for each function’s subcategories to help organizations, especially smaller firms, to use the framework effectively.
These proposed adjustments are the result of a request for feedback solicited by NIST back in February of 2022. Most notably, the framework would add a sixth core tenet - “govern” - and these changes were proposed primarily to accommodate feedback from respondents requesting that the framework provide guidance on how to stay more agile and responsive to keep up with the ever-changing threat landscape. The NIST will continue to accept public feedback on the proposed changes through Nov. 4, 2023. It should also be noted that these changed, if adopted by the NIST, will not necessarily affect school districts within the CNYRIC service area unless/until they adopted by the New York State Education Department's Board of Regents.
To learn more about the NIST CSF, head over to the NIST website. To learn more about the Data Privacy and Security Service - and how the CNYRIC weaves the cybersecurity framework into its own day-to-day, please email call Steven Tryon at 315.433.2280.