It’s been a decade since the National Institute of Standards and Technology (NIST) introduced its Cybersecurity Framework (CSF) 1.0. Created following a 2013 Executive Order, NIST was tasked with designing a voluntary cybersecurity framework that would help organizations manage cyber risk, providing guidance based on established standards and best practices. While this version was originally tailored for Critical infrastructure, 2018’s version 1.1 was designed for any organization looking to address cybersecurity risk management.
CSF is a valuable tool for organizations looking to evaluate and enhance their security posture. The framework helps security stakeholders understand and assess their current security measures, organize and prioritize actions to manage risks, and improve communication within and outside organizations using a common language. It’s a comprehensive collection of guidelines, best practices, and recommendations, divided into five core functions: Identify, Protect, Detect, Respond, and Recover. Each function includes several categories and subcategories, notably:
(Want to learn more about CSF 1.1’s 5 steps? Download our NIST CSF checklist here!)
In February 2024, NIST released CSF 2.0. The goal of this new version is to help CCSF become more adaptable and thus widely adopted across a wider range of organizations. Any organization looking to adopt CSF for the first time should use this newer version and organizations already using it can continue to do so but with an eye to adopt 2.0 in the future.
2.0 brings with it some changes; among other advancements, it adds in “Govern” as a first step, because, according to ISC.2.org, “the CSF’s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders must consider alongside others such as finance and reputation. The objectives are to integrate cybersecurity with broader enterprise risk management, roles and responsibilities, policy and oversight at organizations, as well as better support the communication of cybersecurity risk to executives.”
It also has an expanded scope, it’s more clear and user-friendly, and most importantly (for the purposes of this article anyway), it strongly focuses on emerging threats and zero’s-in on a continuous and proactive approach to cybersecurity via the newly added Improvement Category in the Identify Function. Taking a continuous approach means organizations are encouraged to assess, reassess, and then update cybersecurity practices on a regular basis. This means organizations can respond faster and with better accuracy to events for reduced impact.
Today, there are multiple actionable frameworks and tools designed to work within the parameters of the high-level CSF guidelines. For example, the Continuous Threat Exposure Management (CTEM) is highly complementary to CSF. Released in 2022 by Gartner, the CTEM framework is a major shift in how organizations handle threat exposure management. While CSF provides a high-level framework for identifying, assessing, and managing cyber risks, CTEM focuses on the continuous monitoring and assessment of threats to the organization’s security posture – the very threats that constitute risk itself.
CSF’s core functions align well with the CTEM approach, which involves identifying and prioritizing threats, assessing the organization’s vulnerability to those threats, and continuously monitoring for signs of compromise. Adopting CTEM empowers cybersecurity leaders to significantly mature their organization’s NIST CSF compliance.
Prior to CTEM, periodic vulnerability assessments and penetration testing to find and fix vulnerabilities was considered the gold standard for threat exposure management. The problem was, of course, that these methods only offered a snapshot of security posture – one that was often outdated before it was even analyzed.
CTEM has come to change all this. The program delineates how to achieve continuous insights into the organizational attack surface, proactively identifying and mitigating vulnerabilities and exposures before attackers exploit them. To make this happen, CTEM programs integrate advanced tech like exposure assessment, security validation, automated security validation, attack surface management, and risk prioritization. This aligns perfectly with NIST CSF 1.1, and provides tangible benefits across all five core CSF functions:
The NIST Cybersecurity Framework (CSF) and Continuous Threat Exposure Management (CTEM) program are truly brothers in arms – working together to defend organizations against cyberthreats. CSF provides a comprehensive roadmap for managing cybersecurity risks, while CTEM offers a dynamic and data-driven approach to threat detection and mitigation.
The CSF-CTEM alignment is especially evident in how CTEM’s focus on continuous monitoring and threat assessment comes together seamlessly with CSF’s core functions. By adopting CTEM, organizations significantly enhance their compliance with CSF – while also gaining valuable insights into their attack surface and proactively mitigating vulnerabilities.