When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.
We recently launched a toolkit based on the draft of Version 2.0 of the NIST Cybersecurity Framework, and I’m delighted to say it’s been well received. Impressively on schedule, NIST has now published the final version of CSF 2.0, so we have updated our NIST CSF2 Toolkit to cater for the changes made between the draft and the final versions. Existing customers will of course get this updated toolkit free of charge.
Based on the amount of feedback NIST received for the draft of CSF 2.0 (all of which they published online) you could be forgiven for expecting that the final version could be significantly different. However, NIST seems to have taken the view that the draft, which was derived from a comprehensive series of in-person and virtual workshops they held over a year or so timeframe, was substantially correct and the changes made have actually been fairly small.
Firstly, within the new Govern function, they have moved the category Cybersecurity Supply Chain Risk Management to the end of the list of categories. They have also renamed the category Policies, Processes, and Procedures to be simply Policy. All of the remaining functions and categories remain the same. Some of the objective statements for the functions have been revamped, for example for the Govern function the draft statement “Establish and monitor the organization’s cybersecurity risk management strategy, expectations, and policy” has become “The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored” in the final version. Obviously this is merely a case of rewording rather than anything more significant.
Within the subcategories, there have been some changes to the text. Some of these have just been the replacement of a single word, for example “determined” has generally been replaced with “understood” across the board.
Interestingly, NIST has decided to maintain the numbering of the subcategories from Version 1.1 of the Framework. Where subcategories have been moved or deleted, this means there are now gaps in the numbering. For example, in the subcategory Incident Analysis (RS.AN) the numbering starts at three, misses out four and five, before going from six to eight as follows:
Incident Analysis (RS.AN): Investigations are conducted to ensure effective response and support forensics and recovery activities
Only time will tell whether this leads to confusion amongst users of the Framework.
A new subcategory has been added in Risk Assessment (ID.RA):
And a subcategory that was in the draft has been removed in the final version:
In the draft (and in Version 1.1 before it) there were three columns in the Tiers table:
The last of these has been merged in with the second in the final version of CSF 2.0.
In Version 1.1 of the CSF and to some extent in the draft of Version 2.0, informative references and implementation examples were included in the core description of the framework. In the final version of CSF 2.0 these have been moved out into an online Reference Tool so that they can be updated more frequently.
As part of our ongoing commitment to keep the CertiKit NIST CSF2 Toolkit up to date and relevant, we have amended those documents that are affected by the changes between the draft and the final version of CSF 2.0.
In the main, this has meant that the following documents have been amended:
Where subcategories have changed, the index information in each affected document has also been updated, and references to Version 1.1 of the CSF removed.
The changes between the draft and final versions of the CSF 2.0 have not been major, and the essential structure and most of the wording has been kept. Where tweaks have been made, we have updated the CertiKit NIST CSF Toolkit to ensure it is accurate and reflects the published final version of the CSF 2.0.
Now that the wait is over and the Cybersecurity Framework has been officially revamped, we look forward to increased adoption of the Framework worldwide and to it making a significant contribution to the ongoing fight against cybercrime.
For more information on the latest version of NIST CSF, our blog: NIST CSF – Here comes version 2 goes into more details about the changes between V1.1 and V2.0.
Written by Ken Holmes, CertiKit’s Managing Director and Lead Toolkit Creator. Ken is a CISSP-qualified security and data protection specialist who also holds the internationally-recognised Certified Information Privacy Professional – Europe (CIPP/E).