July 05, 2024
Cyber Risk

Update to NIST CSF 2.0, Map to FAIR-CAM, with the SAFE One Platform

An easy upload gets you up to speed with the latest cybersecurity framework, plus FAIR controls analytics

By Grant Rexer

NIST CSF 2.0 builds on the foundation of NIST CSF 1.0 and offers several improvements to address the evolving cybersecurity landscape. In her March blog post titled Navigating the Convergence of Cyber Risk and Business Risk with NIST CSF 2.0 and SAFE One Resha Chheda provides a great detailed overview of these improvements, so I will not re-state them here. Instead, I will focus this blog post on a peek under the covers of SAFE One, how it utilizes the new framework, especially the “Govern” function, and how easy it is for companies to take advantage of.

Quick Overview of NIST CSF 2.0 Improvements

  1. Wider Applicability: NIST CSF 1.0 primarily focused on critical infrastructure in the US. NIST CSF 2.0 expands its scope to organizations of all sizes and industries globally, reflecting the current reality of cyber threats.
  2. Stronger Focus on Governance: NIST CSF 2.0 introduces a new "Govern" function, emphasizing that cybersecurity is an enterprise-wide risk, not just an IT issue. This encourages better alignment between cybersecurity strategies and overall organizational goals.
  3. Enhanced Supply Chain Risk Management: Recognizing the increasing reliance on third-party vendors, NIST CSF 2.0 emphasizes managing cybersecurity risks within the supply chain.
  4. Improved Measurement and Communication: NIST CSF 2.0 offers more guidance on measuring cybersecurity outcomes and communicating them effectively within the organization and externally.

Overall, NIST CSF 2.0 provides a more comprehensive and adaptable framework for organizations to manage cybersecurity risks in today's complex environment.

The “Govern” function and the FAIR Controls Analytics Model

The “Govern” function of NIST CSF 2.0 identifies 6 categories: Organizational Context, Risk Management Strategy, Roles, Responsibilities and Authorities, Policy, Oversight, and Cybersecurity Supply Chain Risk Management. Within each category, there are any number of subcategories, with 31 areas of assessment for the “Govern” function.

FAIR-CAM (Factor Analysis of Information Risk Controls Analytics Model): SAFE One is based on the FAIR Institute’s open standards to perform cybersecurity risk quantification and management. This gives SAFE One a real advantage over other CRQM platforms, not only because of how quickly we can adopt new frameworks or versions of new frameworks as they are released but also because of the assurance that they are mapped and utilized based on FAIR standards.

FAIR-CAM currently maps all 31 subcategories of the “Govern” function to the following controls: Cyber Risk Quantification and Management, Cyber Security Governance, Data Privacy Program, User Access Control, Background Verification, and Third-Party Risk Management, respectively.

SAFE One Makes the NIST CSF 2.0 Update Easy

If your organization has or will conduct a NIST CSF 2.0 assessment, SAFE One makes it easy to ingest those findings into the platform. It is a one-button click to upload a formatted CSV.

You can download a template to either fill in manually or see how to format your existing NIST CSF 2.0 assessment. SAFE One also provides you the ability to assess the controls manually with an easy-to-use Finding Option drop-down. Need more information on the Finding description? One click on the Finding name will provide you with that information.

SAFE One makes it easy for customers to take advantage of updates and improvements to important cyber security frameworks like NIST CSF 2.0. Mapping those frameworks to the open source industry standard FAIR-CAM model provides customers with risk quantification and management that is comprehensive and defensible. Finally, making it easy to ingest or manually insert/update the assessment data provides our customers with ease of use which allows them to focus on cyber risk scenarios and not another “data” project.