Take A Tour! NIST Cybersecurity Framework 2.0: Small Business Quick Start Guide

Credit: NIST

The U.S. Small Business Administration is celebrating National Small Business Week from April 28 - May 4, 2024. This week recognizes and celebrates the small business community’s significant contributions to the nation. Organizations across the country participate by hosting in-person and virtual events, recognizing small business leaders and change-makers, and highlighting resources that help the small business community more easily and efficiently start and scale their businesses. 

To add to the festivities, this NIST Cybersecurity Insights blog showcases the NIST Cybersecurity Framework 2.0 Small Business Quick Start Guide, a new resource designed to help the small and medium-sized business (SMB) community begin to manage and reduce their cybersecurity risks. You’ve worked hard to start and grow your business. Are you taking the steps necessary to protect it? As small businesses have become more reliant upon data and technology to operate and scale a modern business, cybersecurity has become a fundamental risk that must be addressed alongside other business risks. This Guide is designed to help. 

Understanding the NIST Cybersecurity Framework (CSF) 

Let us first take a step back. Before we talk about the CSF 2.0 Small Business Quick Start Guide, it is important to first understand its foundation. The CSF is voluntary guidance that helps organizations​—regardless of size, sector, or maturity— better understand, assess, prioritize, and ​communicate their cybersecurity efforts (those stages of understand, assess, prioritize, and communicate are going to come back into focus in just a moment). 

The CSF describes what desirable cybersecurity outcomes an organization can aspire to achieve. And because every organization is different, the CSF does not prescribe outcomes nor how they may be achieved. The framework is flexible so that each organization can tailor their implementation to meet their own unique needs, mission, resources, and risks.  It is particularly useful for fostering internal or external communication by creating a common vocabulary for discussing cybersecurity risk management. 

First published in 2014, the CSF recently underwent a significant revision. CSF 2.0 was published on February 26, 2024. Along with the updated document, NIST published new supplementary materials meant to help different audiences better understand and put the CSF 2.0 into action. 

Introducing the CSF 2.0 Small Business Quick Start Guide 

The Guide provides small-to-medium sized businesses (SMB), specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy using the CSF 2.0. 

The CSF is often discussed in terms of transportation— “Travel through the CSF 2.0” or “Journey to the CSF.” Why? Because cybersecurity is a continuous journey. Consider the SMB Quick Start Guide as an on-ramp to that journey. 

Credit: NIST

The information included within this Guide is not all encompassing or prescriptive; it is meant to offer a good starting point for a small or medium-sized business. The Guide is also not meant to replace the CSF. It is meant to be an introduction to it. Or, as mentioned earlier, an on-ramp to it. 

How is the SMB Quick Start Guide Organized? 

The Guide is organized by Function—1 page per Function. What is a CSF Function, you may ask? These are categorizations of cybersecurity outcomes (what you want to achieve) at their highest levels. They are: Govern, Identify, Protect, Detect, Respond and Recover. These Functions, when considered together, provide a comprehensive view of managing cybersecurity risk. 

• Govern: The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored
• Identify: The organization’s current cybersecurity risks are understood
• Protect: Safeguards to manage the organization’s cybersecurity risks are used.
• Detect: Possible cybersecurity attacks and compromises are found and analyzed.
• Respond: Actions regarding a detected cybersecurity incident are taken
• Recover: Assets and operations affected by a cybersecurity incident are restored.

On each page of the Guide, readers can expect to find information to help you better understand the Function and put it into action. Each page is organized into four primary sections: Actions to Consider, Getting Started, Questions to Consider, and Additional Resources. Let’s explore each section in more depth: 

1. Actions to Consider: As mentioned earlier, the CSF helps organizations better understand, assess, prioritize, and communicate their cybersecurity efforts. That is why the Guide’s “Actions to Consider” are organized into those stages.

• The Understand and Assess sections provide actions to help readers understand the current or target cybersecurity posture of part or all of an organization, determine gaps, and assess progress toward addressing those gaps. 
• The Prioritize section will include actions to help readers Identify, organize, and prioritize actions for managing cybersecurity risks that align with the organization’s mission, legal and regulatory requirements, and risk management and governance expectations.
• The Communicate section provides actions for communicating inside and outside the organization about cybersecurity risks, capabilities, needs, and expectations. 

Following each Action to Consider is a parenthetical (see image below), which documents what part of the Cybersecurity Framework Core the action referencing. The Core is a set of cybersecurity outcomes arranged by Function, Category, and Subcategory. In the case shown below (GV.OC-01) “GV” is the Function (Govern), “OC” is the Category (Organizational Context), and “01” is the Subcategory designation. Every Action to Consider ties back to the Cybersecurity Framework Core.

Credit: NIST

2. Getting Started: This area drills down into a specific concept within the Function. For instance, as shown in the image below, two planning tables are provided to help businesses begin thinking through documenting their governance strategy. Businesses will, of course, need to customize these tables to meet their own needs, but these provide a reference point for getting started. 

Credit: NIST

 For those who want to delve deeper into NIST guidance on a specific topic, a Technical Deep Dive is also included on every page. These resources are an important component because this SMB Quick Start Guide is not intended to be the final destination on a business’ journey to improved cybersecurity risk management. As a business grows, as their needs change, and as their reliance upon connectivity and technology increases, their approach to cybersecurity risk management will need to become more sophisticated. These resources can help in that journey.  

3. Questions to Consider: This section is included on every page to encourage readers to engage with the content and begin thinking through important questions related to cybersecurity risk management. They aren’t all the questions a company should be asking themselves, but provide a starting point for discussion. These questions, and the Guide as a whole, can also serve as a discussion prompt between a business owner and whomever they have chosen to help them reduce their cybersecurity risks, such as a managed security service provider (MSSP). 

Credit: NIST

4. Related Resources: This final section provides a few additional resources for continued exploration of the topic. Each resource was chosen because it specifically expands upon the content on the page or adds additional insights or tools that are actionable. All resources are from NIST or other federal agencies and are tailored specifically to the small business community. 

Want to learn more? 

• The final page of the Guide highlights additional resources that you can access on the CSF 2.0 Resource Library: https://www.nist.gov/cyberframework. 
• View the recording of our March 20, 2024 webinar: “Overview of the NIST CSF 2.0 Small Business Quick Start Guide.” 

Get Engaged in our NIST SMB Cybersecurity Work

• Join the NIST Small Business Cybersecurity Community of Interest (COI). This COI was established to convene the public and private sectors to share business insights, expertise, challenges, and perspectives to guide our work and assist NIST in addressing the cybersecurity needs of the small businesses community.
• Submit comments on NIST IR 7621 Rev. 1, Small Business Information Security: The Fundamentals. NIST has issued a Pre-Draft Call for Comments to solicit feedback. The public is invited to provide input by 12 p.m. ET on May 16, 2024. 
• Visit the NIST Small Business Cybersecurity Corner to view our library of small business cybersecurity resources, to register for upcoming events, and much more.