image of small lock on a motherboard among keyboard keys promoting cybersecurity framework

NIST Cybersecurity Framework Updates & How NIST Is Responding to Supply Chain Attacks

As a business owner, you’re well aware of the threat that cybercriminals pose to your data. The news is full of stories about companies that have been hacked, and the fallout from these attacks can be devastating.

Recently, we’ve been seeing an increase in the amount of supply chain attacks, where hackers target a company’s suppliers to gain access to their systems and steal their information. However, businesses owners are seeing the benefits to implementing a set of cybersecurity measures created by an agency called NIST.

NIST (the National Institute of Standards and Technology) is responsible for developing cybersecurity standards and guidelines, and they’ve been working hard to keep up with the changing landscape of cyber threats.

In response to the increase in supply chain attacks and other cybercrime, NIST has released an update to its cybersecurity framework. But what is the NIST Cybersecurity Framework, and why is it so important for the private sector?

What Is NIST?

NIST is a non-regulatory agency of the United States Department of Commerce. They study trends in the cyberworld and then develop and promote standards and technology for departments of the United States.

Companies in the private sector have a choice to follow NIST guidelines—it’s not mandated by law. But lately, more private businesses are seeing the benefits of implementing NIST’s flexible and adaptable frameworks for cybersecurity. Ultimately, the goal of these guidelines is to help organizations better manage cybersecurity risks, and who wouldn’t want that?

Even though NIST is only mandatory for U.S. government agencies, cybersecurity is an important issue for all businesses. The recent updates to the NIST Cybersecurity Framework and the new draft guidance on securing the supply chain can give private business owners innovative ideas for protecting their company.

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework (CSF) is designed to be flexible, so it can be tailored to fit the needs of any organization. The framework consists of five continuous functions:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

The framework covers specific tools, like endpoint protection and antivirus software, that businesses can use to protect themselves from cybercrime. These 5 functions help organizations to manage their cybersecurity risks because it gives a bird’s eye view of the lifecycle of an organization’s management of cybersecurity risk.

The original CSF was created with significant public involvement and collaboration and was released in 2014. It’s since been downloaded more than 1.6 million times and has been translated into at least six other languages. Businesses around the world recognize the value of NIST’s Cybersecurity Framework and are using it to improve their cybersecurity posture.

What Are The New Updates?

The most recent update to the NIST Cybersecurity Framework is the addition of a sixth function: “Comply.” The Comply function is designed to help organizations manage their compliance risks. NIST has also added guidance on integrating security into the supply chain and improving cybersecurity awareness training.

The CSF was updated due in large part to the increase in cyberattacks—especially supply chain attacks. NIST added guidance on how to integrate stronger security into the supply chain and improve cybersecurity awareness training.

NIST is also looking for public collaboration and commentary on the cybersecurity framework itself. They want to know what’s worked and what hasn’t, how it can be improved, and what challenges have prevented organizations from applying the guidelines.

How Is NIST Responding To Supply Chain Attacks?

As we mentioned earlier, supply chain attacks are increasing—they grew by more than 300% in 2021. Hackers can access a business’s source codes, build processes, or update mechanisms after they send a virus through a legitimate service, like an app.

The attacks can be very difficult to recognize and prevent because they happen at different stages of the supply chain and can unknowingly come from trusted developers, like Microsoft. NIST is responding to these threats by adding guidance on integrating security into the supply chain.

In response to the increase in supply chain attacks, NIST released draft guidance on Securing the Supply Chain in October 2019. The guidance provides recommendations for assessing and managing risks associated with suppliers.

NIST is also launching the National Initiative for Improving Cybersecurity in Supply Chains (NIICS). This initiative will review past, current, and potential methods for mitigating supply chain attacks. 

This new guidance will help businesses to identify and assess risks, and put controls in place to mitigate them. NIST is also working with other government agencies, like the Department of Homeland Security, to raise awareness about these types of attacks and how to prevent them.

Why NIST Updates Matter to the Private Sector 

Cyberattacks and the rapid increase of tricky supply chain attacks show no signs of slowing down. NIST’s job is to continuously adapt the cybersecurity framework so that businesses can protect themselves against these ever-changing threats.

Private businesses should stay up to date on NIST cybersecurity changes because the agency is constantly working to improve its cybersecurity framework and address new cyber threats. By staying up to date on NIST changes, businesses can ensure that they are using the most effective measures to protect their data and information.

If you need help implementing the NIST cybersecurity framework into your organization’s security infrastructure, contact Envision Consulting today. We can help you tailor the framework to fit your organization’s needs and ensure that your data and information are properly protected.

Envision Consulting

Envision Consulting

We started Envision Consulting for businesses that share our passion for building long- term and healthy relationships. While we might be technology experts, we’ve always known that trust, reliability and looking after a client’s best interest are paramount to succeeding in business. But in 2001 and to this day, there were few managed IT providers available that embodied our customer-centric values. There were countless support companies more interested in reacting to issues than paving the road forward for clients, making it far too difficult to build long-term relationships. We felt a strong pull to make something different, and we did.