Governance, Risk and Compliance, vCISO, MSSP, MSP

NIST Adds “Govern” Function to Cybersecurity Framework

Credit: Adobe Stock Images

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) now includes a sixth function, "Govern," which is poised to offer a fresh set of opportunities for MSSPs and MSPs to provide cybersecurity services help to their end customer companies.

CSF edition 2.0 advances NIST’s landmark guidance for reducing cybersecurity risk in organizations and is designed for all audiences, regardless of their degree of cybersecurity sophistication, according to the organization. 

The framework is organized around six key functions: Identify, Protect, Detect, Respond, Recover, in addition to the newly added sixth function, Govern. When considered together, these functions provide a comprehensive view of the lifecycle for managing cybersecurity risk, NIST said. The new governance function encompasses how organizations make and carry out informed decisions on strategy — a sweet spot for MSSPs and MSPs in helping their customers address broader security issues.

CSF 2.0 expands the White House's National Cybersecurity Strategy beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector.

How MSSPs, MSPs Can Gain New Market Share

David Primor, founder and CEO of Cynomi, writes on LinkedIn that MSSPs and MSPs stand to gain significantly from the updated NIST framework. Primor’s company provides a platform that enables MSSPs and MSPs to offer vCISO services to their end user companies. He believes the new insights and methodologies incorporated into CSF edition 2.0 make the NIST Framework easier to understand and implement.

“By integrating these advancements into their service offerings, MSPs and MSSPs can deliver more accurate and efficient risk assessments,” he said in his post. “They can also deliver more effective and up-to-date cybersecurity plans, tailored to the specific needs of their clients.”

Primor said that MSSPs and MSPS can enhance their value proposition while gaining a competitive edge in the market by making accurate and timely use of the new framework. And their clients will gain by improving their overall security posture while maximizing resource allocation.

One company observing the expanded playing field enabled by CSF 2.0 and getting into the game is SeeMetrics, provider of Cybersecurity Performance Management (CPM) platform focused on how security leaders measure, track and improve security performance. Its latest development, Governance Boards, attunes to CSF 2.0’s new Govern function.  

“By building these dedicated boards we are providing CISOs with a new kind of automated oversight that previously took too much time and resources to achieve,” said Shirley Salzman, CEO and co-founder of SeeMetrics. “We are taking on the work of identifying what needs to be measured and the long, tedious process behind it. By automating it we are freeing up the CISO’s time and resources while also giving them a new layer of knowledge.” 

NIST 2.0’s Wealth of Resources

CFS 2.0 also comes with two new resources, including a Small Business Quick-Start Guide and Community Profiles, each establishing a common baseline of outcomes to help develop CFS-informed cybersecurity risk management programs.

Organizations can use Community Profiles that best apply to their own situation as a basis to build their own Organizational Target Profile under the framework, rather than starting from scratch or with a more generalized template.

In addition to informative references — existing standards, guidelines, frameworks, regulations and other information sources specific to each outcome outlined in the CFS Core — NIST’s catalog of CFS resources includes implementation examples for each outcome. These examples are not only available as a separate document but are also incorporated into the searchable NIST CFS 2.0 Reference Tool for more streamlined access to detailed information on specific CFS Core components.

Visit the CSF website for updates, upcoming events, resources and other opportunities to weigh in. NIST has set up a new CSF 2.0 update page to increase awareness of the update process.

Jim Masters

Jim Masters is Managing Editor of MSSP Alert, and holds a B.A. degree in Journalism from Northern Illinois University. His career has spanned governmental and investigative reporting for daily newspapers in the Northwest Indiana Region and 16 years in a global internal communications role for a Fortune 500 professional services company. Additionally, he is co-owner of the Lake County Corn Dogs minor league baseball franchise, located in Crown Point, Indiana. In his spare time, he enjoys writing and recording his own music, oil painting, biking, volleyball, golf and cheering on the Corn Dogs.