The Value of Data Discovery For NIST Cybersecurity Framework 2.0

The latest draft of The NIST Cybersecurity Framework (CSF) 2.0 was released on August 8, 2023. Now open for public comment until November 4, 2023, CSF 2.0 aims to be more universally usable across industry sectors helping organizations understand and lower cybersecurity risk.

Among the major changes to the Framework is the addition of a new “Govern” pillar, which establishes the organizational context for cybersecurity risk and risk management. The new Govern pillar, alongside the five pillars of the previous version — Identify, Protect, Detect, Respond, Recover — form the core of the CSF.

NIST has also released its “Discussion Draft of the Implementation Examples,” in which it explains different ways organizations could satisfy the core controls.

Understanding the Identify Pillar

The six pillars of CSF 2.0 work interdependently to create a robust, layered approach to cybersecurity. The Identify pillar ensures the business knows where their sensitive assets are so they can apply appropriate controls to protect and monitor them.

How Data Discovery Supports the CSF

Data discovery supports the CSF by ensuring comprehensive and repeatable identification of sensitive data types across all platforms, whether on-premises or in the cloud.

CSF 2.0 requires that “Representations of the organization’s authorized network communication and internal and external network data flows are maintained” (ID.AM-03).

To meet this control, organizations need to map data flows and document their network environment, including between the organization and third parties. However, data flow diagrams explain only how data is intended to flow between systems following formal processes. They don’t capture the workarounds that people use when systems fail or are too onerous to use, for example. As a result, data flow diagrams can’t identify hidden or unintended stores of data or other sensitive assets.

The framework also requires that “Inventories of data and corresponding metadata for designated data types are maintained” (ID.AM-07). For this, organizations need to identify all sensitive data types including personal data, protected health information, payment and credit card information, as well as organizational sensitive and proprietary information.

Recognizing the limitations of data flow mapping and the complexities of maintaining accurate data inventories, the CSF implementation examples explain that businesses must “continuously discover and analyze ad hoc data” to identify new instances of sensitive data.

Automating the discovery process helps further simplify this process, while lowering the effort required to deliver enterprise-wide scanning.

Organizations can prepare for the final release of CSF 2.0, due in early 2024, by making sure they can identify sensitive data types across all systems and platforms. To learn how, download our free guide, How to Choose a Data Discovery Solution.