The Evolving MSP

Blog archive

The Most Important Document for Partners To Read Now: CSF 2.0

Ask your customers this question: "What do you think it means that the National Institute for Standards & Technology (NIST) just expanded the scope of its Cybersecurity Framework (CSF) to go beyond 'critical infrastructure' to instead apply to all companies and organizations?"

Last month, the NIST announced the first upgrade to the CSF since its release 10 years ago. In a blog post, Kevin Stine, chief of the NIST Applied Security Division's Information Technology Laboratory (ITL), noted that the CSF was born out of the 2013 signing of Executive Order (EO)13636, which required the development of a cybersecurity framework to protect "critical infrastructure," such as oil and gas pipelines, rail, aviation and water supplies.

In fact, the original version of the CSF was titled, "Framework for Improving Critical Infrastructure Cybersecurity."

Notably, CSF 2.0 doesn't make the distinction between critical and non-critical infrastructure. One interpretation of that might be that NIST now considers all infrastructure to be critical. The abstract for the CSF 2.0 emphasizes the important expansion of the scope of the document and defines its purpose:

The NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization -- regardless of its size, sector, or maturity -- to better understand, assess, prioritize, and communicate its cybersecurity efforts. The CSF does not prescribe how outcomes should be achieved. Rather, it links to online resources that provide additional guidance on practices and controls that could be used to achieve those outcomes. This document describes CSF 2.0, its components, and some of the many ways that it can be used. 

Another Key Expansion
In its original 2014 version, the five pillars of the CSF were:

  • Identify: The organization's current cybersecurity risks are understood.
  • Protect: Safeguards to manage the organization's cybersecurity risks are used.
  • Detect: Possible cybersecurity attacks and compromises are found and analyzed.
  • Respond: Actions regarding a detected cybersecurity incident are taken.
  • Recover: Assets and operations affected by a cybersecurity incident are restored.

In the new CSF 2.0, a sixth pillar has been added at the top of the model:

  • Govern: The organization's cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.

This important new pillar helps organizations determine what they may do to achieve and prioritize the outcomes of the other five and, as such, serves as a defining mechanism.

The CSF Promotes Superior MSSP Methodologies
Perhaps the most profound evolution we've seen among MSPs has been the elevation from managed services provider to managed security services provider (MSSP). Many of our colleagues have seen the need and the opportunity presented by data and network security services.

For anyone who has already achieved MSSP status, and especially for those working to escalate their MSP practice to MSSP, the NIST CSF 2.0 is a must-read -- and soon.

CSF 2.0 represents tour de force guidance for those who seek to own responsibility for the data and network security of their own company, or that of others. The stated audience resides mainly in the "buy side," of corporations, government agencies, educational institutions and other organizations.

You can be guaranteed that your competition is already reading CSF 2.0 and has already begun planning based on it. The resources made available by this remarkable work are mammoth and will take time to get through, but at the end of that, MSSPs will be able to do something that will grow their profits substantially.

Customers respect methodology. In fact, their investment decisions are in large part influenced by the methodologies of the technology professionals they engage. In essence, they buy methodology. Reading CSF 2.0 and all the related materials will, without fail, dramatically improve your methodologies and impress your customers. It will also increase your profitability by enabling your people to perform related tasks far more efficiently and far more quickly.

This Is the Most Important Announcement You'll Read This Year
You are constantly reading about how this or that security software provider has improved their software, or about the new functions available in this or that security platform.

The CSF 2.0 announcement is all about how you improve you. How you improve the services you provide to your customers. How you earn increased levels of customer satisfaction from them. How you and your tech practice become more valuable. The guidance provided in CSF 2.0 is invaluable, as are all the resources it will lead you to.

So put down this article, pick up CSF 2.0, and start reading.

Posted by Howard M. Cohen on March 04, 2024