The NIST Cybersecurity Framework 2.0, introduced in early 2024, incorporates new elements like a focus on governance and supply chain security. It aims to be more accessible and useful to a broader range of organizations. In a recent discussion, Steve Salinas from Stellar Cyber and Michael Hamilton, founder and CISO of Critical Insight, examined the updates in the new framework. Hamilton highlighted the consolidation of specific elements into governance and emphasized the importance of managing remote access and assessing business risks due to cybersecurity gaps. He stressed the need for third-party assessments for objective evaluations.
Hamilton explained that organizations could use tools provided by Critical Insight to manage compliance and improve security measures over time. He noted the benefits of aligning with the NIST framework, such as reduced insurance premiums and incentives from state laws like those in Ohio and Connecticut, which offer safe harbor from regulatory actions if cybersecurity standards are met.
The conversation also addressed the enforceability of these frameworks. While some sectors have mandatory compliance, others are encouraged through emerging incentives. Hamilton discussed the federal government's efforts to consolidate cybersecurity guidance and the role of local governments and various critical sectors in adopting these practices.
0:01 - Introduction by Steve Salinas from Stellar Cyber.
0:07 - Michael Hamilton discusses changes in NIST framework, focusing on governance and supply chain security.
1:01 - Importance of third-party assessments for managing remote access and potential risks. 2:30 - Discussing risk assessments and budgeting for corrective actions.
3:00 - Critical Insight offers tools and third-party assistance.
3:57 - Enforceability of regulations varies by sector; healthcare has specific cybersecurity guidelines. 4:54 - Safe harbor laws in Ohio and Connecticut, and emerging incentives for using the NIST framework. 6:00 - Case study on ransomware payments and related risks.
7:01 - Use of the NIST framework associated with lower insurance premiums.
7:53 - Insurance companies' role in providing managed detect and response services.
8:36 - Conclusion and contact information.