Priya Patel
TLDR:
- The NIST Cybersecurity Framework (CSF) has been updated to reflect the evolving role of technology infrastructure on organizational objectives.
- Significant changes include adding a function focused on governance with a dedicated section on supply chain cybersecurity.
In the updated NIST Cybersecurity Framework, Joel Lanz discusses how the five functions of identify, protect, detect, respond, and recover have become familiar in the cybersecurity realm. The CSF has been widely adopted by various industries and organizations for establishing cybersecurity practices. The updated version, CSF2, introduces a new focus on governance and supply chain cybersecurity, which is essential for the accounting profession.
CPAs have already incorporated elements of the CSF in their work, such as in assurance services like the SOC for Cybersecurity examination and in management accounting for assessing and managing cybersecurity risks. The framework has also been used by tax professionals to comply with IRS and state data protection requirements. Regulatory bodies like FINRA have provided resources for small firms based on the NIST framework.
Despite the success and widespread adoption of the CSF, challenges remain, particularly for larger organizations who may find the one-size-fits-all approach limiting. However, the updated CSF2 aims to address these challenges by being more adaptable to organizations of all sizes and types. The new version includes resources such as the small business guide, tailored for SMBs and other similar organizations.
For financial executives, the enhancements in CSF2 related to cybersecurity governance and supply chain risk management are of particular interest. The framework provides guidance on senior executives’ oversight responsibilities and offers tools like the Quick-Start Guide for Using CSF Tiers and the Enterprise Risk Management Quick-Start Guide.
Overall, the updated NIST Cybersecurity Framework will play a prominent role in the work of CPAs and other professionals involved in cybersecurity. It provides foundational abilities to combat sophisticated threats and demonstrates due diligence in mitigating litigation risks.
