NIST CSF 2.0 and What it Means for MSP Governance Services

In February 2024, the National Institute of Standards and Technology (NIST) made the Cybersecurity Framework (CSF) 2.0 available to the public. The updated framework targets organizations of all sizes and sectors, and includes improved resources, a greater focus on the supply chain, and the addition of a new core function — governance. In this article, we’ll review these significant updates to the CSF and explain how business-savvy MSPs can leverage governance as a service to meet demand as businesses scramble to adapt to the new framework.

What is the New NIST CSF?

First, a look back

Executive Order 13636, signed in February 2013, tasked NIST with the development of a framework aimed at reducing risks to critical infrastructure. One year later, NIST released the CSF.

The CSF defined the lifecycle of cybersecurity risk management through five core functions: Identify, Protect, Detect, Respond, and Recover. It was intended to help organizations better understand and improve cybersecurity by describing desired outcomes and providing potential security controls for consideration.

Finalized in February 2024, CSF 2.0 is the most recent version of the NIST security framework. Other than Version 1.1, made public in April 2018, this is the first major update to the CSF since it was issued over a decade ago.

What MSPs Need to Know About New NIST Guidelines

The intention of the CSF remains the same – to help organizations understand and assess the most recent cybersecurity challenges and best practices. Among the more major changes are:

a major addition to the five core functions;
the suite of resources provided to make that happen;
the audience it targets; and
a greater focus on the supply chain

Each of these may impact your MSP, and we’re going to explain how. From our perspective, the most significant update is the focus on governance.

A Major Addition: Focus on Governance

The subcategories of the Governance function were previously distributed under the Identify function, but the creation of an entirely new domain indicates the increasing importance of how organizations make informed decisions about their cybersecurity strategy (aka governance).

Making informed cybersecurity decisions requires both cybersecurity and governance expertise. MSP governance services offer both, and they can help clients establish and implement the policies, roles, and responsibilities that engage all levels and members of an organization.

Improved Resources

To make it easier for organizations to adopt and implement their security framework, NIST has created a suite of resources. Among the most notable are:

A new CSF 2.0 Reference Tool that makes browsing, searching, and exporting data and details simpler and easier for users to consume.
A searchable informative reference catalog that enables organizations to map their current actions onto the CSF NIST standards and cross-reference with more than 50 other cybersecurity documents, including other NIST regulations.
A downloadable PDF of Implementation Examples that offers potential ways to achieve each outcome and implement the framework.
Quick-start guides designed for users with specific common goals, which now include a guide for small- and medium-sized businesses.
A Community Profiles tool that organizations can use to build their own Organizational Target Profile, rather than having to start from scratch.

Despite the expansion and simplification of the suite of resources offered, there’s still a lack of specific recommendations for implementing CSF. Smaller organizations may be deterred by the scope, breadth, and depth of the CSF, presenting an opportunity for MSPs who offer compliance as a service (CaaS) to step in with concrete steps and solutions.

Wider Audience

While the original CSF framework targeted organizations in critical infrastructure, CSF 2.0 acknowledges that cybersecurity concerns all organizations. CSF 2.0 explicitly aims to assist all audiences, industry sectors, and organization types in the management and reduction of cybersecurity risk. From the Quick Start Guide for Small Businesses to friendlier fonts in the V2 PDF, CSF 2.0 attempts to lower the barriers to cybersecurity and get everyone involved.

Cybersecurity is for everyone, but some organizations have limited resources. A smaller organization that lacks the skilled personnel and budget required to implement CSF,
may therefore seek out a third party for assistance.

Focus on Supply Chain

CSF 2.0 emphasizes the importance of a comprehensive approach to cybersecurity that includes the entire supply chain. It recognizes that, ultimately, the security of an organization is dependent on the security of its suppliers, partners, and third-party service providers. To that end, it suggests assessing the cybersecurity posture of partners and including cybersecurity standards, incident reporting protocols, and audit rights in supply chain contracts.

Of course, this means that MSPs who follow NIST guidelines may conduct risk assessments on their suppliers and partners. But it also means assisting clients with their own robust risk assessment processes that extend beyond the organization.

Governance as a Service for MSPs

Compliance Scorecard is a governance as a service (GaaS) platform that was built with the new NIST governance domain in mind. It’s equipped with several capabilities that enable MSPs to leverage the opportunities presented by the NIST 2.0 framework.

NIST Policy Pack

Establishing the policies, roles, and responsibilities of cybersecurity is easy with Compliance Scorecard’s NIST Policy Pack. It outlines the key policies and procedures you’ll need to implement the framework for any client and provides customizable templates to get you started.

Implementation

The new Governance domain emphasizes that cybersecurity is more than just a function of the IT department and encourages organizations to foster a culture of cybersecurity. Compliance Scorecard provides a shared view of cybersecurity objectives, enhancing collaboration with clients and ensuring that policies are adopted across the organization.

Adaptability

The very creation of CSF 2.0 is a testament to the fact that the cybersecurity threat landscape is constantly changing, as are the needs of organizations. Compliance Scorecard allows for customized policy creation, the ability to tailor services to ever-changing needs, and regular reviews of policies and practices to ensure continued compliance.

Learn More About MSP Governance Services

NIST 2.0 is intended to be a more accessible framework but, for some organizations, its implementation is still a formidable undertaking. Organizations without the expertise and budget to execute CSF run the risk of falling behind, and that’s where MSPs can play a huge role.

The need for GaaS is growing and MSPs are perfectly positioned to meet the demand. Are you ready to leverage the opportunities presented by NIST 2.0? Compliance Scorecard’s governance-as-service platform specifically addresses the new governance domain within the NIST CSF 2.0 framework. Ask us how we can help you manage and reduce cybersecurity risk using our 4A govern practices capabilities (Alignment, Authorization, Adoption, Assessment). Contact us to learn more.

Posted in Blog