Clifton, NJ - April 10, 2024 - Today, the Cybersecurity Coalition for Education and Advisory Council is excited to announce the immediate availability of the following:
- Cybersecurity Rubric 2.0
- Updated training on Cybersecurity Rubric 2.0
- Updated training for Certified Cybersecurity Rubric Evaluators (CCREs) related to Cybersecurity Rubric 2.0
Background
The Cybersecurity Rubric self-assessment toolkit and related training were created and released in April 2023. These resources are based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) v1.1, which was released in 2018.
After many months of public comments and improvements, the National Institute for Standards and Technology (NIST) released the Cybersecurity Framework 2.0 (CSF 2.0) on February 26, 2024. The update clarified some of the existing CSF categories and added a new governance category to the framework. Through this update, CSF 2.0 better connects organizational leadership with cybersecurity risk management, an essential shift as cybersecurity continues to be a growing concern at the cabinet level and in board rooms.
The Cybersecurity Coalition for Education contributed to the development of these CSF 2.0 improvements and immediately incorporated them into our work and resources.
What's New With CSF 2.0?
There are two main changes from v1.1 to v2.0
Change #1: Addition of the Govern Function
NIST organizes the Cybersecurity Framework into a hierarchy of 'Functions' and ‘Categories.' CSF v1.1 had five functions: Identify, Protect, Detect, Respond, and Recover. CSF v2.0 added a sixth function called 'Govern,' which is intended to impact all other functions.
We believe adding a governance function appropriately matches the reality of increased interest and investment from senior leadership in building a strong cybersecurity culture from the top down.
Function Definitions
- GOVERN: Establish and monitor the organization's cybersecurity risk management strategy, expectations, and policy.
- IDENTIFY: Determine the current cybersecurity risk to the organization.
- PROTECT: Implement safeguards to prevent or reduce cybersecurity risk.
- DETECT: Identify and analyze possible cybersecurity attacks and compromises.
- RESPOND: Describe actions taken regarding a detected cybersecurity incident.
- RECOVER: Address restoring assets and operations impacted by a cybersecurity incident.
Change #2: Modifications to Some Categories
When placed side by side, you can clearly see the addition of the Govern function, but you'll also notice that several other categories were slightly changed as well. These changes reflect NIST's goal of making the CSF more easily adopted by a broader community of leaders and industries.
We support these improvements and feel they make CSF 2.0 an even better framework for K12 organizations because now the concepts behind the categories are more universally understood.
What's New With Cybersecurity Rubric 2.0
The Advisory Council and the Coalition's instructional design team worked closely together, and we are thrilled to release new versions of all the following:
- Cybersecurity Rubric 2.0: (all three editions: Google Sheets, Excel, and PDF)
- Updated with the new Govern function and all category modifications
- On-demand Cybersecurity Rubric 2.0 training modules
- New Q&A format scoring guide to help self-assessors complete the rubric
- This resource helps professionals more accurately score their organization on the rubric
These resources all continue to be available at no cost to schools worldwide.
What's New With Certified Cybersecurity Rubric Evaluator (CCRE)
The Advisory Council and the Coalition's instructional design team worked closely together, and are thrilled to release new versions of all the following:
- On-demand Certified Cybersecurity Rubric Evaluator (CCRE) training modules and certification
Discount codes for the $99 CCRE training course and certification exam continue to be made available to professionals around the world.
Existing CCREs are invited to complete the updated on-demand CCRE training for the Cybersecurity Rubric 2.0 at no cost.
Existing CCREs are not required to recertify with the updated Cybersecurity Rubric 2.0, as certifications are valid for two years from issuance.
Access the Cybersecurity Rubric 2.0 Today
Ready to explore the newest version of the Cybersecurity Rubric? Visit cybersecurityrubric.org/use-the-rubric.