The National Institute of Standards and Technology (NIST) has published updates and refreshed guidance to its cybersecurity framework (CSF), marking its first guidance update since the CSF was first released in 2014.
The NIST CSF is arguably the most recognized and globally applied cybersecurity framework. When paired with NIST’s data privacy framework, the CSF offers security and data privacy practitioners comprehensive and actionable guidance that helps them align their organizations to most global, regional, and industry-centric regulatory requirements.
What’s new with the latest NIST update
The latest 2.0 release is a result of years of public input and discussion to expand guidance and build in greater value. Specifically, the update includes revisions to core guidance, the development of resources to help businesses achieve their cybersecurity goals, and greater emphasis on governance and supply chain guidance.
Latest NIST update resources include:
- Implementation examples — step-by-step guides to help practitioners achieve outcomes based on specific subcategories.
- Quick start guides — intended to help companies map goals and policies quickly.
- CSF 2.0 reference tool — speeding time to implementation with browsing, search, and data export capabilities.
- A searchable catalog — helping practitioners efficiently align current efforts to CSF recommendations.
- The Cybersecurity and Privacy Reference Tool (CPRT) — Connected, browsable, and downloadable NIST guidance documents which also offers context to other popular resources.
While originally aimed at security practitioners, these latest NIST revisions are intended for all audiences, industries, and organizations, with the goal of making the CSF guidelines accessible to all.
Data protection vs. data privacy
The Cavelo platform aligns with both the NIST CSF and the NIST data privacy framework. It's essential to understand that these two frameworks — cybersecurity and data privacy — serve distinct purposes.
The cybersecurity framework aims to assist businesses in self-managing cybersecurity risk through policies and controls. On the other hand, the NIST data privacy framework is an aid to help businesses identify and manage privacy risk to safeguard individual privacy for customers or end-users.
Both frameworks are voluntary guidelines. Adhering to and implementing the NIST frameworks can enhance your organization's strategy for managing attack surfaces, strengthen data privacy policies, and better prepare your business for various compliance audits and obligations.
The NIST CSF promotes visibility into the data your organization uses and stores. When it comes to data protection and privacy, both frameworks help IT and security leaders prioritize cybersecurity efforts and accomplish five core functions: identify, protect, detect, respond, and recover.
Data discovery and classification are fundamental to these core functions because without proper data inventorying, mapping, and management, tasks such as data tracking, response, and recovery become exceedingly difficult.
With a few exceptions, both frameworks adhere to similar requirements regarding data collection, storage, and use across the functions of the framework.
NIST CSF categories that relate to data classification and management:
Personal Data Inventory
Develop and maintain a comprehensive list of personal data collected, used, transferred, stored, processed, and created within the organization. This list should include the specific data elements and the systems and applications that interact with this data.
Data Classification
Categorize data based on its type and sensitivity, as defined by relevant statutory, regulatory, and contractual contexts.
Data Flow Mapping
Document processing activities to illustrate the flow of personal data. This documentation should cover:
- Geographic locations and third parties involved in the storage, transmission, and/or processing of personal data.
- Contact information for the controller(s) involved in the storage, transmission, and/or processing of personal data.
- Purposes for data storage, transmission, and processing.
- Description of data subjects and personal data categories.
- Time limits for erasing various data categories (where feasible).
- Description of the data controller's cybersecurity and privacy measures (where feasible).
Limited Collection and Use
Restrict the collection, use, distribution, retention, disclosure, and creation of personal data to the minimum necessary, reasonably required, and legally justified purposes.
Using NIST guidelines as a foundation for broad regulatory compliance
Understanding the data within your network and categorizing the types of data you collect are fundamental to every data privacy and security regulation — and your continuous risk management initiatives. Put plainly: if you're unsure about the data you possess, safeguarding it becomes a challenge.
When it comes to compliance there's a common misconception that it's merely a matter of checking a box on an audit form. However, true compliance requires demonstrating how you check that box. This means articulating the processes, tools, and measures you've implemented to meet requirements.
Download our Data Discovery for Regulatory Compliance guide to explore other global, regional, and industry-based regulations, and tips to help you organize and prioritize data security and best practice planning.
