NIST Cybersecurity Framework 2.0: Updates and Impacts for MSPs
The National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) has become an essential standard for managing cybersecurity risk across sectors since its introduction in 2014. Developed through collaboration between government and industry, the CSF—and related NIST publications—provides guidelines and best practices that help organizations assess and improve their ability to prevent, detect, and respond to cyberattacks.
Originally aimed at critical infrastructure industries, the CSF has proven valuable in aligning policy, business, and technological approaches for managing cybersecurity risk across any industry. It bridges gaps between business, IT, and cybersecurity teams by providing a common language to communicate priorities, objectives, and metrics.
The CSF’s risk-based approach makes it scalable across organizations of any size or industry. It is especially helpful for small and midsized businesses (SMBs) that may lack the resources for an extensive cybersecurity program. By integrating CSF principles into their operations, businesses can drive cybersecurity maturity in a structured way, following recognized standards.
For managed service providers (MSPs), knowledge of the CSF is critical when servicing clients across sectors. Understanding the core framework functions allows MSPs to assess client environments and provide customized cybersecurity services to reduce risk.
As threats and the cybersecurity landscape at large evolve, NIST has released an updated version of their framework—CSF 2.0. It’s important that MSPs understand these changes and adapt their offerings and practices accordingly.
What is NIST CSF?
The NIST CSF is widely recognized as a standard for managing cybersecurity risks, integrating industry standards and best practices, and providing a common understanding of cybersecurity risks across an organization.
The NIST CSF framework aims to provide organizations with a core set of cybersecurity activities, desired outcomes, and applicable references. It consists of five core functions:
- Identify: This phase involves understanding the systems, assets, data, and capabilities an organization needs to carry out its mission. It includes activities such as asset management, business environment analysis, governance, risk assessment, and risk management strategy development.
- Protect: In this phase, organizations implement safeguards to ensure the delivery of critical services. This includes activities such as access control, awareness and training, data security, information protection processes and procedures, maintenance, and protective technology.
- Detect: This phase involves activities to identify the occurrence of a cybersecurity event. This includes activities such as anomaly detection, continuous monitoring, detection processes, and event detection.
- Respond: In this phase, organizations take action to minimize the impact of a detected cybersecurity event. This includes activities such as response planning, communications, analysis, mitigation, and improvements.
- Recover: This phase involves activities to restore capabilities or services that were impaired due to a cybersecurity event. This includes activities such as recovery planning, improvements, and communications.
Though compliance is mandatory for federal agencies, the NIST framework is voluntary for private sector organizations. However, many companies adopt it to help mitigate and respond to cyberthreats. It may also be used as a basis to satisfy other standards, such as ISO or COBIT.
NIST CSF 2.0 updates
The recent NIST CSF 2.0 framework introduces key updates to reflect the evolving cybersecurity landscape and increase inclusivity for varied organizations.
1. Addition of “govern” function
A major change is the inclusion of a new sixth function called “govern”, encompassing how organizations make informed decisions on cybersecurity strategy. This governance component highlights that cybersecurity poses enterprise risk for leaders, on par with aspects like finance and reputation.
2. Emphasis on continuous improvement
NIST Cybersecurity Framework 2.0 highlights the importance of continuously enhancing cybersecurity practices. This involves regularly developing and updating profiles and action plans, which is critical for adapting to evolving threats and customer needs. Continuous improvement also plays a role in governance by setting measurable goals and identifying gaps during periodic reviews.
3. International focus
NIST has expanded its international collaboration for CSF 2.0, reflecting the global nature of cyber challenges. CSF 2.0 better aligns with globally recognized standards such as ISO27001 and CIS controls.
4. Expanded scope for OT, IoT and cyber-physical systems
While the original framework focused heavily on traditional IT systems, CSF 2.0 acknowledges the convergence of IT and OT. New subcategories, such as supply chain risk management, workforce management, and environmental resilience, address these new landscapes.
Implications for MSPs
The updates in NIST Cybersecurity Framework 2.0 have relevant and important implications for MSPs and their operations. This includes:
1. Governance
The inclusion of the “govern” function requires MSPs to integrate cybersecurity more deeply into organizational strategies and risk management. This function provides a structure for setting information cybersecurity goals, making strategic decisions on how to achieve them, and continuously tracking performance.
By implementing this governance foundation, MSPs can effectively manage risk through the definition of policies, help make strategic decisions, and continuously track performance in meeting information cybersecurity goals.
2. Vendor management
NIST’s updated cybersecurity framework puts more emphasis on supply chain security for both MSPs and their clients. This means carefully managing vendor risks and ensuring the security of any outsourced products and services. They’re basically saying you need to double-check the software and hardware you buy to make sure it’s legit.
Additional considerations for MSPs include:
- Implementing a vendor risk assessment process to evaluate cybersecurity practices and compliance of third-party providers
- Incorporating cybersecurity requirements into contractual agreements and service level agreements (SLAs)
- Monitoring vendors for changes in cybersecurity posture and compliance on an ongoing basis
- Maintaining an inventory of vendors and their access privileges
- Developing incident response plans that cover notification procedures and coordination with vendors
By focusing on supply chain security and formalizing vendor risk management programs, MSPs can better ensure the cybersecurity hygiene of their entire ecosystem. This allows them to provide more robust protection to their clients while meeting the governance goals of transparency and accountability.
3. Asset management
The updated framework provides more objectives and metrics for asset management, an area of increasing importance. This includes developing comprehensive, accurate, and continually updated inventories of IT, OT, and software assets, mapping their connectivity, and managing them based on business context.
For MSPs, this is a cue to expand asset inventories and configuration management components of their remote monitoring and management (RMM) to include detailed software and version information, as well as OT and IoT devices that may not have been tracked before. Automated discovery tools can facilitate maintaining updated asset intelligence.
MSPs should also prioritize assets based on classification, criticality, and business value when planning protection. Not all assets require the same level of security. The “govern” function provides objectives and assessment factors for tracking the percentage of assets inventoried, classified, and managed.
MSPs can develop reports to quantify inventory coverage and track progress over time. Comprehensive asset management aligns cybersecurity efforts with the most critical business needs.
4. Continuous improvement
The updated NIST Cybersecurity Framework places greater emphasis on continuous improvement in cybersecurity. This aligns with the framework’s focus on adaptable solutions tailored to each organization’s unique risks.
For MSPs, continuous improvement means regularly reviewing and updating their cybersecurity services and offerings. As threats evolve and new vulnerabilities emerge, MSPs must continually assess and enhance their protection, detection, and response capabilities.
Key areas for ongoing improvement include:
- Developing updated cybersecurity profiles detailing assets, risks, and security priorities. These profiles provide the blueprint for implementing appropriate safeguards and controls.
- Creating, reviewing, and updating action plans that outline concrete steps to reduce risks and achieve target cybersecurity outcomes.
- Setting clear, measurable cybersecurity goals and identifying any gaps that need to be addressed to reach those goals.
- Conducting periodic reviews of current practices to identify areas for improvement. These reviews should assess the efficacy of controls and progress on defined metrics.
- Using threat intelligence, audit results, and lessons learned to refine strategies, close gaps, and optimize resource allocation.
- By embracing continuous improvement, MSPs and clients can keep cybersecurity strategies aligned with the latest best practices and adversarial tactics.
Conclusion
The updates in the NIST Cybersecurity Framework 2.0 have significant implications that MSPs should start preparing for now. Key takeaways include:
- The addition of the “govern” function emphasizes the importance of integrating cybersecurity into enterprise risk management and setting clear metrics and objectives. MSPs must implement governance practices like formal risk assessments, audits, and executive reporting.
- There is an increased focus on supply chain security and vendor risk management. MSPs must verify software integrity, secure hardware supply chains, and ensure partners adhere to cybersecurity best practices.
- Expanded coverage of IoT, OT, and other cyber-physical systems means MSPs must expand the scope of their services and asset inventory management.
- The framework promotes continuous improvement through periodic reviews, updated plans, and measurable key performance indicators. MSPs should continually refine their offerings.
To capitalize on NIST CSF 2.0, MSPs should begin planning how to integrate the practices into their operations and offerings. Performing gap assessments, expanding asset intelligence, implementing governance programs, and refining service packages will allow MSPs to help their clients improve cybersecurity postures and remain adaptable in a climate of constantly evolving threats.
Don’t wait—start preparing now to implement CSF 2.0.