NIST updates Cybersecurity Framework after a decade of lessons After ten years operating under the original model, and two years working to revise it, the National Institute of Standards and Technology (NIST) has released version 2.0 of its Cybersecurity Framework (CSF). Unlike the original, which was designed with critical infrastructure sectors in mind, CSF 2.0's scope has been expanded …
"What's been missing from that group of five is the new sixth function – govern – which has been added in CSF 2.0. "
It should have been obvious all this time that unless 'security' is an integral part of corporate governance it's bound to fail, if for no other reason that that it will not be considered a high priority by the executive. So it will remain a disregarded and under-resourced afterthought -- what I have for years called "stick-on security". This has widely been the fate of ISO/IEC 27001. It's actually quite an good standard, but in most certified organisations I've attended getting the cert is the priority (as it opens the door to lucrative contracts). The cert however commonly signifies nothing except that a convincing paper trial has been established. It very seldom informs operational security to any significant degree.
“The CSF fosters bidirectional information flow .. between executives .. and managers who manage specific cybersecurity risks that could affect the achievement of those priorities .. The left side of the figure indicates the importance of practitioners sharing their updates, insights, and concerns with managers and executives.”
Having pondered over the NIST documentation overnight, I feel that version 2.0 has been released prematurely. Some serious ambiguities need to be corrected.
For example. in the primary documentation two different diagrams express the relationships between the functions of the core -- a circular diagram (front cover and page 5) places governance at the centre, implying its direct influence on all the other functions individually (which actually makes a lot of sense) but a linear diagram (page 3) places it at the top of a sequential stack, which makes less sense. Then, the wide flexibility the Quick-Start Guide proposes in the way important information is recorded allows those with muddled thinking to continue their muddled thinking.
Overall, this framework could deliver good documentation for those who have their security well thought out, but will not assist much those who haven't as it contains no measures to clarify and focus thinking -- it's essentially an administrative framework, rather than one that will drive practical improvement. It leaves too much to the discretion of the implementer as to what constitutes adequate performance -- for example, under 'govern' GV.RM-06: "A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated.", which doesn't in any way assist in ensuring that the method actuially works, just that everyone uses it. Consequently, it's only a 'standard' in the procedural sense, not in the sense of outcomes. What we really need are clearly defined goals to achieve in terms of results and guidance on how to achieve them. Those would be real standards.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
