It’s no secret that big changes have been made at NIST with the release of their Cybersecurity Framework (CSF) 2.0, the first update to the landmark framework since its inception in 2014. What changed, what does it mean, and will a simplified, more streamlined NIST approach offer the industry a user-friendly alternative to the CIS Controls?

NIST Added a Sixth Function: Govern

The first and most impactful addition to the CSF is the addition of a sixth function: Govern. Now, the key functions are as follows:

1. Identify
2. Protect
3. Detect
4. Respond
5. Recover
6. Govern

Governance activities include making cybersecurity a vital and active part of an organization’s overall enterprise risk management strategy and doing so via:

• Understanding the company’s risk tolerance and appetite
• Getting the players in place and creating policies with improved feedback loops
• Guarding the supply chain with formalized processes

“I think there’s an understanding now, and it’s pretty common across cybersecurity, that if governance is not actively involved, you’re just spinning your wheels,” noted Padraic O’Reilly, founder and chief innovation officer of CyberSaint, to CSO.

In practical terms, this showcases a change in strategy and the realization that top-down buy-in is essential to accomplishing cybersecurity goals. (We agree, and we said as much in our Golden Vector blog.)

In a bubble no longer, the fact that “playing the political game” is vital enough to be canonized in the latest NIST update is significant business. As more and more leaders recognize that any business objectives in the digital age are intrinsically entwined with cyber safety, the push to make cybersecurity strategy part of a company’s overall strategy will only get stronger.

A Push to Simplify: New Resources

In an effort to make their insights more easily accessible, especially smaller organizations making their first formal forays into the cybersecurity space, NIST has offered some simplified resources in the form of Implementation Examples and Quick Start Guides.

The Implementation Examples offer detailed and specific ways to accomplish the Category guidelines, and the Quick Start Guides offer niche help for various use cases like Small Business, C-SCRM, Enterprise Risk Management, and CSF 2.0 Tiers.

However, despite attempts to the contrary, no one will ever blame NIST for being too easy to understand, which brings us to our next point.

Does NIST 2.0 Compete with the CIS Controls?

Obviously, these two are on the same team: NIST is a federal government organization, and the MS-ISAC receives funding from the Feds. And they’re not really the same thing. But NIST’s new Implementation Examples and Quick Start Guides do beg the question: Is NIST trying to be the CIS Controls?

The difference is still in the delivery.

If NIST was hoping for widespread adoption, made easier by their simplified resources and helpful strokes, they are on their way. However, nothing compares to the readability, straightforwardness, and clarity of the CIS Controls when it comes to establishing:

• Which fundamentals need to be put in place for basic cybersecurity
• Where to find the security resources you need
• Guiding you down a path that will result in a solid, foundational cybersecurity framework

The CIS Controls are touted as a way to “simplify your approach to threat protection,” and they deliver on that promise. Each listed Safeguard only requires you to “do one thing,” and by following its guidelines, companies can set up policies to help them comply with the latest privacy regulations, achieve essential cyber hygiene, and demonstrate a reasonable level of cybersecurity.

Which Framework is Right for You?

Notes Jim Long, Managing Partner at The Long Law Firm, PLLC, “The CIS 18 are prioritized, easy to understand, and extremely cost-effective for small to mid-size organizations looking to prove they are secure enough to do business in today’s marketplace.”

Arguably, NIST helps companies achieve the same – even greater. The approach is just different. And so the questions that companies need to ask themselves are,

• Where am I on my cybersecurity maturity journey?
• What can my current team’s skillset and level of experience handle?
• Are we ready to take it to the next level, or are we still building on the basics?

Like the Cheshire Cat said in Alice’s Adventures in Wonderland, if you don’t know where you’re going, it doesn’t matter which way you go. However, once you define your place in space and identify your objectives, the most helpful framework will become clear.

And don’t fret too much about opportunity cost in the meantime. Because the CIS Controls have close ties to the NIST CSF, we might expect to see revisions to the Controls coming soon. And we wouldn’t be surprised if there is an increasing emphasis on top-down buy-in there, too.