NIST Version 2.0 Cybersecurity Framework Examined
The US government's NIST published a new version of its Cybersecurity Framework (CSF), calling it a landmark and the first major update in a decade.
In this note, we examine the NIST Cybersecurity Framework (CSF) 2.0, what it is, what it covers, and how to take it into account for physical security operators.
***********
***** ********** ** ********** ************* ********** include:
- *** ********** *** ***** ******** ******** Guide
- *** **** ** *** *** ************* Certification ********
- "*.*. ***** ***** ****" *** *** Devices ********
What ** ** ***
****'* ********* ** ********* **** **** existing ********, *********:
- **** ** *** ********* ** ********** an ************'* *************.
- ************* *** ************* ***** ** ** conformant, *** ** ********** ******** ** service ****** ** ******** ****.
- *** **** ********* ** *** ********** to ******** ******* ***************, *** **** it ******** **** ******* *************** ** not *****.
Executive *******
****'* ******************* ********* (*** *.*)***** * *********** ******* **** *** predecessor, *** *.*, ** ** ******* its ************* ****** ******** **************, ****** it ********** ** *** ******** ** organization.
******** ***-************, *** *.* ******** ****-***** guidance ******** *** ************* ** ****** and ******** ************* ***** ** ********** and ************ **** ** * ********** and ********* ******.
***** ************* **** *** *********** ** adapt *** ********* ** ***** ******** needs *** *************, ************** ** *** straightforward. ** **** **** ********* (**** and *****) ** ******** *** ********** current ************* *****, ******* ******** ******** and **********, ****** **************** *** **********, and ******* ******** ******* ** ****** that ********* ********** **** ** ********.
*** *.* **** ********** * ******** that *********** **** *** ********* (********, Protect, ********, *******, *** *******), ********* more ********* ******** ** *** ************* can ********* ************* ******** **** ***** operations.
*** *.* ********* ** * ** page ********:
CSF *.* ** *.* ***** *******
*** *.* *** ******** *** ***** beyond ******** **************, ****** ** ********** to *** ******** ** ************ *** created * *** '******' ********, ***** serves ** *** *********** ** *** framework, ************ *** ******** **** ********** plays ** ******** ************* *****.
** ********, *** *.* ******* *** focus ** ******** ***** ** *** cybersecurity ****** ***** **** * ******** category ** *** "******" ********, *********** the ******* ********** ** ******** ***** associated **** *****-***** ************* *** ************.
******** **** *********** *** *************** **** been *********** ****** *** *** *** 2.0, *** ***** **** ******* ***:
CSF *.* *** ******** ******** *** ***** ************
***** *** *.* ******* ********* ** cybersecurity, *** **********, *** **** ********* can ** ******* ** ******* ******** aspects, ********* ******** ******** *** ***** surveillance **********, ***** ************* *** ******* their ******* ******** *******, ****** ****, and ******* ******** ****** *** ************** from ***** ******* *** ******** ***************.
****** *** ******** ***** ** ***** surveillance *** *** **********, ********* ** cameras *** ***** ********** *******. ******** and ********** ******** ******, ********* ******* such ** ************ ****** ** *********, and *************** ****** *** ************** ** improve ********** ********.
********* ******** ******** ** ******* ***** surveillance **********, ********* ****** ********, ******** configurations ** ******* ************ ****** ** camera ***** ** ***** ********** *******, and ********* ********** **** ** ********* detection ******* *** ********* ** ******* identify ********* ** ******** ******** ** the ***** ************ ***********.
******* ******** *** ******** ********* ******** to ***** ************ ********** **** ********** to ******** ******** *********, ********* ********** actions *** ******** ********** **** ** data ****** *** ********** ** ****** rapid ******** ** ***** ************ ********* after ** ********.
CSF *.* *********
***** *** *** *.* ** ********* for *************,********* ***** *****, ************* *** ************* of ******* ******** *** ******** **************, **** **** ********* ********* *** US ******* ********** ******** *** ****** be * *********** *** *** ***********, vendors, ** ******** **** ** ******** with ** ******* ********** ********.
*******, ** *** ************ *** ************* the ********** ** ************** ***** ********, the ************ *** ** ******* ** serious ***** *******, **** ** **** breaches *** ********* ******* **** *** lead ** ******** *** ************ *********** and ******** ********* **** ****.
CSF *.* ************** *** ***************
*** *** *.* ** *** * one-time ****** ************** *** * ******* process **** ******** ********** ********** *** adaptation, ** ***** ******* ********** ****** and ******* ******** ********* *** ********** of **********.
******** **** ** *** ******** ************** and *********** ** *** ************** ** the ** **********, *** ************'* ********** must ** ******** ** ********* ************* decisions, ********** *** ********** *** ********** of *** ************'* *************, ********* *** video ************ *******, *** ******** *** necessary *********, **** ** ******, ****, training, *** *********.
************* **** ** *********** ********** **** CSF *.*, *** * ************* ********** of *** ************'* ******* ************* ******* is *********, ********* *********** ******** ********, procedures, *** ******** *** *********** ******** assets **** ******* **********.
************** *** ******* ********** ***** *** critical ***** ** ******** ** ************** plan, ***** *** ************ ********** ***** areas ******* ********* ************* *********, ********* video ************, *** ******* ***** ** address ********** ****. **** *** ******* implementing *** ******** ********, ******** ******** policies, *** *********** ********** ********* ** strengthen ************* ******** ****** ******* *** physical *******.
*********** ************* **** ***-**-*** ******** ********** is ******** ** ******** * ********* security *******, **** ************* ************* ************* considerations **** *********** *********, ******** *********** lifecycles, ******** ******** ********, *** ***** surveillance *******.
************* ** ** ******* ****** **** requires ********** ********** *** ***********, ***** regular *********** ** *********** ******** *** proactive ******** ** ***** ** ******** threats *** ******** ** *********** ****** security ******** ** **** ******* *** physical *******.
*********** *** ************** ******* *** ************* progress ** ******** *** ************ *** accountability, **** ******* ******* ******** ****** executives, ***** *******, *** ******** *********** are ******** ** *** ************'* ************* efforts.
************* ****** ******* ******* ******** ***** to ****** **** ********* ********** *** policies **** ** ********, ** **** as ************** ****** ** ******** ************* and ******** *********** *****, ***** ** new *******, *** ****** **** ************* measures ****** ****** *** **-**-****.
CSF *.* **** ********* *** **********
*** *** *.* **** ** * structured ********* *** ************* ******** ********* by ********, ********, *** ***********. ** is ********* ** **** **** ***** results *** *** * ********* ** specific ******* ** ** ***** *** rather ******* * ***** *** ** goals **** ************* *** ****** ** their ***** *** *************.
****** *.* ********* ********** *********** *** ************* ** *** CSF *.* **** *********, ******** **** human *** *******-******** ******** *** ********* options *** *********** **********, **** *** overview:
**** ** *** *** ******** ** CSF *.*, ***** ******* ** **********, prioritizing, **********, *** *********** ************** ************* risk ********** **********, ********, *** ********** to **** *** ********'* ******** *****, where:
'************** *******'******* ** *** ************** *******, ***** it ** ********* ** ********** *** organization's ****** *************, *********** ************, ************, and ******* *****, **********, *** *********** requirements, ***** **** *** ***** *** effective ************* **** ********** *********.
'**** ********** ********'** ******* * ****** **** ********** strategy **** ******** ******** *** ************'* priorities, ***********, *** **** ********* ******, which *** ************ ** ***** *********** risk ********* ***********.
'*****, **************** *** ***********'** ********* *****, ****************, *** *********** within *** ***** ******** ********* *** facilitate *********** ********** ** ***** ********** improvement, ***** ** ** **** ******** to ****** **** **** ********** *********** their **** *** ***** ** ********* in ******** ***** ******** *****.
'******'** ******* ************** ************* ********, ****** communicated *** ************ ********, ** **** each ************** ****** *********** ***** **************** and ******* *********** *********, ********** *** risk ** ******** ********.
'*********'** **** ** ******** *** ************* of ************-**** ************* **** ********** **********, analyze *** ******* *** *********** ********, and **** ********* *********** ** ************ improve *** ******* **** ********** ********.
'************* ****** ***** **** **********'** ****** ************* ***** ****** *** supply ***** ******** * ********** ********, where ************ ****** ****** *** ******** manage ********* ** ********, *********, ******, monitor, *** ******* ***** ****** ***** risk ********** ** ****** *************** *** strengthen *** ************'* ********** ** ********* threats **** *** ****** *****.
******* ** *********** ********* **** *** risks ** ********-******** ******, *******, *** data, **** ** **************, *******, *********, video ************ *********, ** *******, *** storage *******, *** ********** ********* *************** such ** ******** ******** *** ********** protocols, *****:
'***** **********'******** *********** *** ********** *** ********* (such ** ****, ********, ********, *******, facilities, *** ********) **** ****** *** organization ** **** *** ********** ********** with *** ******** ********** ** ***** assets ********* *** ********** *** **** management ********.
'**** **********'** **** ** ********** *** ************* risks ****** *** ************, *** ******, and *** *********** ********, ** **** as *** ********* ******* *** *************** that ***** ********** ********.
'***********'** ************** *********, **********, *** ********** for ******** ************* **** ****** *** CSF ********* ******** *********** **** ** strengthen *** ************* **** ********** ** done **************, ******** ******** ***** ** address *******, *** ********* ******* ************* efforts.
******* ** ************ ******** ** ******* assets, **** ** ********* ********** *******, ensuring **** ******** *** ******** ** all ******* *** ********* ******* ** mitigate ***** ***************, ****** ********, ***** surveillance *******, *** ***** ****** ********* or *****-****** **************, *****:
'******** **********, **************, *** ****** *******'** ****** **** **** *** ***** people, ********, *** ******* *** ****** resources, **** ******** *** *******, ***** having ***** ******** ** ***** ** verify *** *** ****** ****, **** unauthorized ***** ***, *** ****** ******** measures ***** ** ********* *****.
'********* *** ********** **** ******** ** *** ************ understands *** ** ******* ********** **** cyber ******* ** ********* ******** *** guidance ** **** **** **** ****** knows ***** **** ** ******* *** systems *** **** ******.
'**** ********'** **** ******* ****** **** ************ access ** ********* ** ********* ***** that ******** *** *****, ******** **** data ** ****** ********* **** ******, and ******* ** ************ *** ******.
'******** ********'***** **** *** ***** *** *******, whether ******** ** *******, *** ********* from ********* *****, ********* ******** *** software *** ******** ********** ** ****** secure ******* *** *******.
'********** ************** **********'*** ********** *** ***************, *********, *** availability ** ****** ******* ********** **** ensures ******* *** ********* *** ******* from *** ********** ** ******.
******* ** ********** ** ****** ***** security *********, **** ** ********* ********* systems ** ******* ********** ********, ***** surveillance ******* ** ****** ******** *********, logging, ********** ***** ** ***** ******* in ******* ** ******* ****** ********, and ******** ** ****** ********* ****, where:
'********** **********'** ******* ******* ******* ** *** infrastructure ** ****** ******** ***** ** intrusion ********, ********* ********** ********, ********* activities, ******* *****, *** ******** **** may ******** * ********* *******, ******* with ******** *******, ********, ** **** management.
'******* ***** ********'*** **** ******** ******** **** ********* out ** *** ******** ** ********, from ******* ******** ******** ** ********** that ******* *** **** **** ***********, to ********** **** ** *********, ******* it ***** * ************* ****, *** how ** ******* ***********.
******* ** *** ****** ** ***** security *********, ******** ********** ** ******* physical ******** *********, ********** ******** **********, and ******* ******* *** ******* ** regular ********* ** ******* ** ********, where:
'******** **********'** ******* *********** **** * ***** security ******** ** ********, ************ *** prioritizing ********* ***** ** ***** ******** and, **** *********, ********** ********* ** higher ****** ** ********* ** ****** they ******* *********** *********.
'******** ********'*** ** ******** ********** ***** ************** are ********* ** ********** **** ******** and ***, ********** *** **** ***** of *** ********, ***** ***** ****** taken ****** *** ************* ** **********, along **** ********* ******** **** *** metadata, *** ******** *** ********* *** authenticity ** *** *******.
'******** ******** ********* *** *************'** ****** *** ********** ******* **** internal *** ******** ************, ******** ********** with ******** ****, ***********, *** ********.
'******** **********'** ** ******* ******** ** ***** and ******** *** ******* ** ***** security *********, ** ******* *** ********* from *********, *** ** ********* *** threats *******.
******* ** ********* *** ************'* ************ or ******** ******** ** * ************* incident ** ****** ********** ** ******* as ********, ********* ********* ****, *******, and ********* ** ***** ***-******** ***** or ** ********** ***** ** *************, where:
'******** ******** **** *********'********* **** *** ******** ******** ******* for ******* *** ******** ******** ** the ******** ** ****** *********** ********** and ****** *** ********* ** ******* and ***** ****** ****** ****** ********* status, ***** *** *** ** ******** recovery ** ******** ***** ** ******** and ********-******* ************* ** *********.
'******** ******** *************'** ******** *********** ***** ******** ******* and ********* ******** *** ********** **** internal *** ******** ******* ** ** aware ** ******** ******** *** ******* to ******* *** ********'* ************.
CSF *.* ***** ***** ******
******** ***** ******(***) ***** ** ******* ********* ** help ************* *********** ********* *** *.*, assist ******* ************, ********* **********, ********, and ********* *****, *** ***** ********* steps *** **** ********* *** *********** the ********* **** ******** ************* ********.
************ *********** * ******** ** ** ************'* current *** ******* ************* *******, ******* organizations **********, *****, ********, *** ********** cybersecurity ***** ***** ** ***** ******** mission, ************, *******, *** ************.
********* **************** ****** *********, *****, *** **** mitigation ******** ****** ******** ************* **** provide * ******* **** ** ************* risk ********** ********** *** ***** ************* to ***** ***** ******* ***********.
***** ******** ** ******-***** ************** ****** ** ** ************* ***** that ****** ******** ** ******* ******* with ***** ************* **** ********** ********** using *** *.*.
****** ***** **** *************** ************** ******** ************* ***** ********** the ****** *****, *********** ***************, *** implementing *********** ******** **********.
***** ******** *** ** ********* ************** ********, ***** *** **** organizations ******* ***** ************* **** ********** and ********** *********** ** ******** ****** improvements *** ******* *** ********.
************** ***** ** ********** **** ************** ****** ************* **** ********** **** processes *** **** ************** ****** *** organization, ********* *******, *********, ************, *** technical *****, ** ******* ****** **** monitoring, **********, *** ********* ****** ************** units **** *** ********** ********** ******* resilience.
CSF *.* *********** **********
************** ************* ********* *********** ** **** ** supplement *** ********* *** ******* *************' understanding *** ************** ** ************* *********.
**** ********************** ************ ********* *********, ***** **** *** to ******* *** ********** *** *** not ********** ***** ** **** ** organization ****** ** *** ** *** have ****** ************ *** *************.
********** ***** *********(****) ******* *** **** ****** *********, such ** *********** ******* *** *.* and *.*, **** *** *.* **, and *** ** *** **.
**#*, ***** *** *** *** ********.
**** *** *********, ******** **** *** developed ** ******* ************* *********.
***** *** **** *** ********* ** the ** ********** ** ******* (***) and ** * ********* ************* *********** for *********** *** ************** ******* **** the ***, *** **** *** ** voluntary *** ************* *** *** ** certification ************.
*** *** **** ** ** **** is *** **** *****, ** ** different, *** **** ** ******? * ahve * *** **** ******** ******* on ******* *** ************ ** ****: