Versions Compared

Version Old Version 3 New Version 4
Changes made by

jimm1

jimm1

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

Reference_description_with_linked_URLs_______________________Notes______________________________________________________________


NIST cybersecurity
NIST cybersecurity framework
NIST cybersecurity measurement


FTC summary of NIST cybersecurity framework 
Synopsys summary of NIST cybersecurity framework


https://www.fedramp.gov/program-basics/


a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government.

fedramp-Rev-5-Transition-Overview-Presentation link

fedramp-Rev-5-Transition-Overview-Presentation.pdf file 


https://www.fedramp.gov/assets/resources/training/100-A-FedRAMP-Training-Welcome-to-FedRAMP.pdf

100-A-FedRAMP-Training-Welcome-to-FedRAMP. link

100-A-FedRAMP-Training-Welcome-to-FedRAMP.pdf file 


https://www.fedramp.gov/documents-templates/
fedramp - Understanding the Transition from Rev. 4 to Rev. 5).

https://www.fedramp.gov/assets/resources/documents/
FedRAMP_Baselines_Rev5_Transition_Guide.pdf

FedRAMP_Baselines_Rev5_Transition_Guide link

FedRAMP_Baselines_Rev5_Transition_Guide.pdf file


ACCELERATING GOVERNMENT INNOVATION AND MODERNIZATION WITH CLOUD - Splunk 








...

Supply chain risks: An organization can use the CSF to foster cybersecurity risk oversight and communications with stakeholders across supply chains. All types of technology rely on a complex, globally distributed, extensive, and interconnected supply chain ecosystem with geographically diverse routes and multiple levels of outsourcing. This ecosystem is composed of public- and private-sector entities (e.g., acquirers, suppliers, developers, system integrators, external system service providers, and other technology-related service providers) that interact to research, develop, design, manufacture, acquire, deliver, integrate, operate, maintain, dispose of, and otherwise utilize or manage technology products and services. These interactions are shaped and influenced by technologies, laws, policies, procedures, and practices.


NIST 2.0 CSF review 

Code Block
languagetext
titleNIST CSF 2.0 framework review
collapsetrue
NIST CSF 2.0 Updates Summary
Introduction to NIST CSF 2.0 (00:00 - 00:35)

The NIST Cybersecurity Framework (CSF) is a voluntary security guide developed by NIST in collaboration with public and private sectors.
It was originally designed for critical infrastructure but has now been expanded for all organizations.
Major Name and Scope Change (00:35 - 01:56)

CSF 2.0 removes the emphasis on "critical infrastructure" to make it applicable across all industries.
New additions include community profiles, organizational profile templates, and Quick Start guides to streamline implementation.
New Sixth Function: "Govern" (02:14 - 02:41)

CSF functions expanded from five to six, adding "Govern" to improve cybersecurity strategy and policy oversight.
The functions now include: Govern, Identify, Protect, Detect, Respond, and Recover.
Updated Implementation Approach (03:08 - 04:47)

The framework is not prescriptive, but defines desirable security outcomes across 21 categories and 112 subcategories.
New implementation examples provide clearer guidance on achieving security objectives, making it easier to follow.
Enhanced Clarity and Usability (06:05 - 06:54)

The language in CSF 2.0 is simplified to improve communication across technical and non-technical stakeholders.
Some outdated terms and categories have been restructured and consolidated for better alignment.
Major Overhaul of Respond and Recover Functions (08:52 - 09:49)

These functions now better align with industry-accepted incident response and recovery processes.
The updates provide more structure for security operations, making them actionable rather than abstract.
Community and Organizational Profiles (10:17 - 10:43)

Community profiles offer ready-made cybersecurity blueprints tailored to specific sectors or threats (e.g., ransomware).
Organizational profiles help define current vs. target security states, streamlining the transition to CSF 2.0.
No Official 1.1 to 2.0 Mapping (11:27 - 11:44)

Due to significant changes in structure and terminology, there’s no direct mapping from CSF 1.1 to 2.0.
Organizations are encouraged to start fresh with CSF 2.0 rather than attempting a direct migration.
Recommended Implementation Approach (12:03 - 12:33)

Organizations should create a new CSF 2.0 profile and use their existing CSF 1.1 data only as a baseline reference.
A migration plan should be at least a 3-month project, depending on the organization's size and complexity.
Final Thoughts and Community Support (12:33 - 13:01)

CSF 2.0 is more comprehensive, easier to implement, and better for communication across an organization.
The cybersecurity community (e.g., Simply Cyber's Discord) can be a valuable resource for practitioners adopting CSF 2.0.
Key Takeaway:
NIST CSF 2.0 is a major upgrade with a new Govern function, improved clarity, better incident response, and implementation examples, making it easier to adopt and apply across all organizations.

...