On February 26, the National Institute of Standards and Technology released the NIST Cybersecurity Framework 2.0, the first major update to the NIST CSF in a decade. As a serious improvement on an already widely respected security framework, it took the cybersecurity industry by storm for its attention to supply chain security and third-party risk.

What is NIST CSF 2.0?

The NIST CSF 2.0 is an update to the original NIST Cyber Security Framework, developed to guide business leaders in organizations of all sizes and industries about cybersecurity. The new version reflects the evolution in IT away from on-premise systems towards cloud and SaaS, with its clear controls for managing the cyber risk of a digital supply chain.

The NIST CSF originated as a response to Barack Obama’s Executive Order 13636 to strengthen the resilience of critical infrastructure essential to national and economic security, such as healthcare, manufacturing and utilities. In the current digital landscape, with the evolution from on-prem and co-location to cloud and SaaS, third parties are now a core technology driving and controlling critical infrastructure. As a result, NIST CSF has been voluntarily adopted by organizations in virtually every industry. CSF is particularly useful because it can be easily integrated with other information security management systems (ISMS), such as those dealing with cybersecurity risk management and assessment, privacy (e.g. NIST Privacy Framework), supply chain risks (including C-SCRM), and risks from emerging tech such as AI (e.g. NIST AI RMF).

NIST CSF 2.0: What CISOs and Security Professionals Should Know

The original NIST CSF framework includes five basic “functions” (Identify, Protect, Detect, Respond and Recover) that articulate to leaders the steps needed to meet the cybersecurity standards in non-technical, business-friendly language.

The two major changes in the NIST CSF 2.0 include:

The New Govern Function

The Govern function, formerly a category within the Identify function, has been promoted to first among the now six functions of CSF 2.0. The categories within the Govern function were previously part of the Identify function as part of the Business Environment and Governance categories, but were moved after much debate and understanding that cybersecurity must be a part of boardroom discussion.

The goal of the new function is to ensure that executives, managers and boards align the overall cybersecurity approach to the business goals of the organization. It also seeks to educate executives that cybersecurity poses as great a risk to the enterprise as financial and reputational challenges. 

The new categories and identifiers of the Govern (FV) Function contain the following controls:

  • Organizational Context (GV.OC)
  • Risk Management Strategy (GV.RM)
  • Roles, Responsibilities and Authorities (GV.RR)
  • Policy (GV.PO)
  • Oversight (GV.OV)
  • Cyber Security Supply Chain Management (GV.SC)

A Full Set of Resources

To assist organizations seeking to make better decisions about their cybersecurity, NIST CSF 2.0 includes a suite of resources, aiding CISOs and security leaders, regardless of their current level of security sophistication. The tools include a CSF 2.0 reference, detailing the new framework in an easily understood format, a searchable catalog, quickstart guides and implementation examples.

How NIST CSF 2.0 Affects Supply Chain Management

The last category of the Govern function specifically addresses how companies can better identify and control third-party risks. As this may be of great interest to our audience, let’s drill down into the last category of the Govern function, Cyber Security Supply Chain Management.

The new categories and identifiers of the Cyber Security Supply Chain Management (GV.SC) Function contain the following controls:

  • Development of a cyber supply chain risk management program (GV.SC-01)
  • Allocation, communication and coordination of cybersecurity responsibilities for third parties, including suppliers, customers and partners (GV.SC-02)
  • The integration of cyber supply chain risk management into the enterprise risk management program (GV.SC-03)
  • Prioritizing suppliers by criticality (GV.SC-04)
  • Addressing cyber risk in supply chains into agreement with third parties (GV.SC-05)
  • Due diligence before starting a third party relationship (GV.SC-06)
  • Review, prioritizing and response to and of risks that third parties expose the enterprise to on an ongoing basis (monitoring) (GV-SC-07)
  • Involving relevant third parties in incident planning (GV.SC-08)
  • Integration of supply chain security practices in cybersecurity and enterprise risk management program (GV.SC-09)
  • Management of “off-boarding” processes when an agreement or partnership with a third party ends (GV.SC-10)

The first few subcategories (GV.SC-1 through GV.SC-3) clearly communicate the importance of supply chain risk management as an essential part of a broader cyber risk management program. The remaining subcategories (GV.SC-4 through GV.SC-10) describe, on a high level, a complete program for supplier risk assessment and management. Perhaps most crucially, GV.RM-05 mandates the open lines of communication about third-party cybersecurity risks that are an essential element for success in any risk management program.

In addition, several new controls in the Identify function address supplier risk assessment:

  • Testing and exercises to identify gaps in procedures and required improvements must include third parties (ID.IM-02), including those done in coordination with suppliers and relevant third parties. 
  • Maintaining inventories of services provided by suppliers (ID.AM-04). 
  • Assessing critical suppliers prior to contracting (ID.RA-10).

The Detect function also has a subcategory that covers supply chain management, DE.CM-06, which ensures that external service provider activities and services are monitored to reveal any potentially adverse events.

How Panorays Helps You Align With and Leverage NIST CSF 2.0

Panorays helps CISOs and security professionals create and operate an integrated and streamlined program conforming to all the third-party related controls in NIST CSF 2.0.

With a business-context approach to third-party cyber risk, it offers:

  • Supply Chain Discovery and Mapping. Panorays reveals your suppliers (including those the security team may not be aware of) and the respective digital supply chains of your third-party suppliers. It maps the evolving threat landscape onto your digital supply chain. 
  • Risk DNA Assessment. We evaluate the unique risks of each third party relationship in the context of your approach and tolerance to cyber risk, using relationship-specific questionnaires, document collection and external attack surface monitoring. Panorays generates a truly trusted risk score, updated and current.
  • Context-Based Continuous Threat Detection. Panorays monitors the attack surface and evolving threats to the entire digital supply chain, prioritizing them based on business context and alerts. 
  • Remediation and Collaboration. We facilitate collaboration with third parties and within your organization to address threats in your third party security and risks to your enterprise immediately.

Panorays AI-driven detection, workflows and analysis help organizations scale their third party cyber programs effectively, comply with regulations and standards (like NIST CSF 2.0) and protect their business from third party cyber risks.

Want to learn more about how to reduce your third-party risk with contextual cyber management? Contact Panorays to schedule a demo today.