EdTech leaders, this is the cybersecurity news you've been waiting for! A new and improved set of National Cybersecurity Standards is ready to help you manage your cybersecurity risks.
After ten years, the National Institute for Standards and Technology (NIST) has released an updated version of the Cybersecurity Framework (CSF). That's right, the NIST CSF 2.0 is here!
This update includes the new GOVERN function, now at the core of the NIST CSF 2.0 framework. This new function declares a heightened senior leadership imperative, building a strong cybersecurity culture from the top down.
“Developed by working closely with stakeholders and reflecting the most recent cybersecurity challenges and management practices, this update aims to make the framework even more relevant to a wider swath of users in the United States and abroad,” explains Kevin Stine, chief of NIST's Applied Cybersecurity Division.
How Can Schools Use These New Standards?
In support of schools, The Cybersecurity Coalition for Education has been working with the NIST CSF 2.0 design team since August 2023 to ensure the new National Cybersecurity standards met our education sector's needs.
The Coalition provided suggestions about the structure, functionality, and governance categories proposed in the new NIST CSF 2.0 framework.
Once NIST closed the window for the NIST CSF 2.0 public and stakeholder comments in November 2024, the advisory council and the Coalition's Instructional Design team went to work developing and realigning our resources.
Today, we are thrilled to release updated, NIST CSF 2.0-aligned versions of our Cybersecurity resources, including our Cybersecurity Rubric (CR) 2.0 for Education and training and our Certified Cybersecurity Rubric Evaluator (CCRE) program.
You can find the updated rubric and training at cybersecurityrubric.org.
A Walkthrough of the New Structure
The following shows the new structure of the updated National Cybersecurity standard, NIST CST 2.0 with, increased leadership governance.
Six (6) NIST CSF 2.0 Functions Serve as the Overarching Cybersecurity Framework and Evaluation Standards.
- The GOVERN Function establishes and monitors the organization's cybersecurity risk management strategy, expectations, and policy.
- The IDENTIFY Function determines the current cybersecurity risk to the organization.
- The PROTECT Function explores safeguards to prevent or reduce cybersecurity risk.
- The DETECT Function identifies and analyzes possible cybersecurity attacks and compromises.
- The RESPOND Function includes action taken regarding a detected cybersecurity incident.
- The RECOVER Function addresses restoring assets and operations impacted by a cybersecurity incident.
What Is the Main Focus of the New National Cybersecurity Standard?
The NIST Cybersecurity Framework (NIST CSF 2.0) and the Cybersecurity Rubric 2.0 are a holistic approach at the strategic and enterprise levels to improve cybersecurity leadership and reduce cybersecurity risk. The new governance function establishes and monitors the school's cybersecurity risk management strategy, expectations, and policy. Here are a few highlights.
- Designed for education and places the highest levels of leadership at the forefront rather than buried in technology organizations.
- Uses common language and is a collaborative tool designed to improve cybersecurity awareness and communication about the school system's cybersecurity effectiveness maturity level.
- Fosters a sense of unity, from the functional groups to the superintendent and boards of trustees, in a collective effort to manage cybersecurity risks.
- Helps in determining critical activities and developing strategic plans with quantifiable measures of progress.
- Focuses on how organizations make, fund, and execute decisions regarding cybersecurity.
- Increases the focus on collecting metrics about how well the risk management strategy and risk results offer opportunities to reduce the threat landscape while maximizing the return on investment in technology spending.
What Does the New GOVERN Function Include?
The new GOVERN function interlaces cybersecurity, focusing on the people, processes, and technology needed to adequately govern cybersecurity functions within school systems. How? By establishing, monitoring, and improving cybersecurity risk management strategy, expectations, and policy.
Schools use the govern function's categories to provide evidence of how they manage risks, define roles, and enforce comprehensive protection policies.
Here's a quick explanation of how the new governance categories apply to schools.
1. Organizational Context
The organizational context category guides schools based on mission statements, stakeholder expectations, and legal, regulatory, and contractual obligations related to cybersecurity risk. Additionally, schools depend on vendor partners to provide critical capabilities and services. Therefore, it's crucial for schools to clearly understand, communicate, and ensure that all internal and external stakeholders understand cybersecurity risk management decisions.
2. Risk Management Strategy
Risk Management Strategy directs schools to establish, communicate, and enforce cybersecurity priorities, constraints, risk tolerance, risk appetite statements, and assumptions to support operational decisions. The strategy sets short—and long-term measurable risk management objectives and includes them in its annual strategic plan, which also contains criteria for escalating cybersecurity risk.
3. Roles, Responsibilities, and Authorities
School system leaders must authorize clear cybersecurity roles and document risk management responsibilities in job descriptions. They are responsible for developing, implementing, and assessing cybersecurity strategy roles, setting clear expectations, effectively aligning resources, and integrating system-wide security measures to ensure everyone knows how to protect against cyber threats within a safe, ethical culture prioritizing continuous improvement.
4. Policy
The school system’s policy provides a clear framework for managing and reducing cyber risks. Expectations for senior leadership require approval of all organizational policies, supporting processes, and procedures with clear communication protocols, including statements of intent, expectations, and directions. By regularly updating and enforcing these standards and strategies, schools can ensure their digital environments are more secure, continuously improving, responsive to new threats, and aligned with their educational mission.
5. Oversight
Cybersecurity oversight enables schools to continuously monitor and enhance their strategies against cyber risks, aligning protective measures with educational goals. Leadership activities and performance results drive risk management strategies by establishing metrics, regularly reviewing and sharing risk governance results with senior leadership, and adjusting cybersecurity strategies based on performance and emerging risks for proactive protection.
6. Cybersecurity Supply Chain Risk Management
Schools must evaluate cybersecurity supply chain risk related to technology services, cloud-based hosting, instructional resources, and operational support. Management of clearly defined processes to identify vulnerable systems that can cause a critical impact, with enforcement and documented response plans, helps to identify and assess proactive measures.
Ongoing Cybersecurity Support For Schools
The Cybersecurity Coalition for Education is proud to have worked with the NIST CSF 2.0 design team and significantly contributed to the education and academia industry. Our Coalition’s commitment to improving cybersecurity practice in education will help education technology leaders nationwide and abroad!
We're focused on connecting the link between strong leadership, cybersecurity risk management, and building a cybersecurity culture from the top down. With supports aligned to the NIST CSF 2.0–such as the Cybersecurity Rubric, training, and certification program–schools have accessible tools they can use to improve their cybersecurity practices immediately.
Access all of these resources at cybersecurityrubric.org and start building momentum today.