The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) now includes a sixth function, "Govern," which is poised to offer a fresh set of opportunities for MSSPs and MSPs to provide cybersecurity services help to their end customer companies.
CSF edition 2.0 advances NIST’s landmark guidance for reducing cybersecurity risk in organizations and is designed for all audiences, regardless of their degree of cybersecurity sophistication, according to the organization.
The framework is organized around six key functions: Identify, Protect, Detect, Respond, Recover, in addition to the newly added sixth function, Govern. When considered together, these functions provide a comprehensive view of the lifecycle for managing cybersecurity risk, NIST said. The new governance function encompasses how organizations make and carry out informed decisions on strategy — a sweet spot for MSSPs and MSPs in helping their customers address broader security issues.
CSF 2.0 expands the White House's National Cybersecurity Strategy beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector.
How MSSPs, MSPs Can Gain New Market Share
David Primor, founder and CEO of Cynomi, writes on LinkedIn that MSSPs and MSPs stand to gain significantly from the updated NIST framework. Primor’s company provides a platform that enables MSSPs and MSPs to offer vCISO services to their end user companies. He believes the new insights and methodologies incorporated into CSF edition 2.0 make the NIST Framework easier to understand and implement.
“By integrating these advancements into their service offerings, MSPs and MSSPs can deliver more accurate and efficient risk assessments,” he said in his post. “They can also deliver more effective and up-to-date cybersecurity plans, tailored to the specific needs of their clients.”
Primor said that MSSPs and MSPS can enhance their value proposition while gaining a competitive edge in the market by making accurate and timely use of the new framework. And their clients will gain by improving their overall security posture while maximizing resource allocation.
One company observing the expanded playing field enabled by CSF 2.0 and getting into the game is SeeMetrics, provider of Cybersecurity Performance Management (CPM) platform focused on how security leaders measure, track and improve security performance. Its latest development, Governance Boards, attunes to CSF 2.0’s new Govern function.
“By building these dedicated boards we are providing CISOs with a new kind of automated oversight that previously took too much time and resources to achieve,” said Shirley Salzman, CEO and co-founder of SeeMetrics. “We are taking on the work of identifying what needs to be measured and the long, tedious process behind it. By automating it we are freeing up the CISO’s time and resources while also giving them a new layer of knowledge.”
NIST 2.0’s Wealth of Resources
CFS 2.0 also comes with two new resources, including a Small Business Quick-Start Guide and Community Profiles, each establishing a common baseline of outcomes to help develop CFS-informed cybersecurity risk management programs.
Organizations can use Community Profiles that best apply to their own situation as a basis to build their own Organizational Target Profile under the framework, rather than starting from scratch or with a more generalized template.
In addition to informative references — existing standards, guidelines, frameworks, regulations and other information sources specific to each outcome outlined in the CFS Core — NIST’s catalog of CFS resources includes implementation examples for each outcome. These examples are not only available as a separate document but are also incorporated into the searchable NIST CFS 2.0 Reference Tool for more streamlined access to detailed information on specific CFS Core components.
Visit the CSF website for updates, upcoming events, resources and other opportunities to weigh in. NIST has set up a new CSF 2.0 update page to increase awareness of the update process.
