Questions About NIST CSF 2.0
The NIST Cybersecurity Framework 2.0 is designed to help all types of organizations, including financial institutions, manage and reduce cybersecurity risks. Unlike its previous iteration, CSF 2.0 focuses more extensively on governance and supply chain risk management. The framework provides a structured hierarchy of Functions, Categories, and Subcategories that outline high-level cybersecurity outcomes:
- Functions: Govern, Identify, Protect, Detect, Respond, and Recover.
- Categories: Related outcomes within each Function.
- Subcategories: Specific activities and outcomes that support each Category.
The framework is technology-neutral and can be tailored to fit the unique needs and objectives of any organization, regardless of size or sector.
Artificial Intelligence (AI) is on everyone’s mind of late and is a concern for FI’s wanting to be proactive in addressing AI-related risks. The NIST Cybersecurity Framework (CSF) 2.0 doesn’t provide AI-specific guidelines, however, it encourages organizations of all types to adapt and enhance their cybersecurity practices to address the evolving AI-related risk environment.
Specifically for FIs, this requires visibility into existing third-party relationships and products/services that may incorporate AI. Incorporating AI use-related questions into your due diligence strategies for third parties is a great start. For example, many core providers utilize AI in fraud detection software solutions. This is in addition to specifying standards for internal employees when entering NPI and proprietary information into MS Copilot, Chat GBT, etc. In general, FIs should incorporate AI considerations into their IT/IS risk assessment, threat modeling, and security control strategies to safeguard against potential vulnerabilities and threats associated with AI systems. Until federal regulatory agencies provide more definitive guidance, efforts to address AI risk will require an evolving and flexible best practices approach. In the interim, keeping your eyes and ears open to change and engaging trusted TSPs and Compliance advisors can help assist your organization with proactive strategies to address this evolving arena of risk.
The CSF 2.0 framework provides a comprehensive approach for understanding, assessing, prioritizing, and communicating cybersecurity risks. This starts with creating CSF Organizational Profiles that describe an institution’s current and target cybersecurity postures. By leveraging CSF Tiers, community banks and credit unions can gauge the maturity of their cybersecurity risk management practices:
- Tiers: Ranging from Tier 1 (Partial) to Tier 4 (Adaptive), Tiers help describe how formally and rigorously an organization manages cybersecurity risks.
Profiles and Tiers encourage a systematic method for identifying gaps between current and desired cybersecurity outcomes and prioritizing actions for improvement.
NIST provides an expansive suite of online resources to assist in the adoption and use of CSF 2.0. These resources are continually updated and include:
- Informative References: Guidance linking CSF outcomes to established standards, guidelines, and regulations.
- Implementation Examples: Action-oriented steps to achieve specific cybersecurity outcomes.
- Quick Start Guides (QSGs): Brief, actionable documents aimed at facilitating the implementation of the CSF for various audiences and contexts.
These resources are accessible via the NIST CSF website and are invaluable for structuring and streamlining cybersecurity efforts.
One of the key strengths of CSF 2.0 is its capacity to improve risk communication within and outside an organization. The framework provides a common language that facilitates better communication between executives, managers, and practitioners. By aligning cybersecurity activities with strategic business objectives, community banks and credit unions can ensure that cyber risks are effectively communicated and managed at all organizational levels. The standardized terminology and structured approach aid in making informed decisions about cybersecurity expenditures and actions, whether for internal governance or third-party oversight.
CSF 2.0 is designed to complement existing frameworks and risk management programs, including enterprise risk management (ERM). It aids in translating cybersecurity terminology into a general risk management language that executives can understand, making it easier to integrate cybersecurity into the broader risk management portfolio. The resources below can guide on choosing frameworks and tools and achieving integration:
Related Resources
Ask a Question, Get an Answer!
Ask a question and our compliance experts will email you back!
Explore Other Risk Management Articles