The NIST Cybersecurity Framework 2.0 (CSF 2.0) is the latest version of the widely adopted cybersecurity guidance from the National Institute of Standards and Technology (NIST). This updated framework, released at the end of February 2024, is designed to help organizations of all sizes, including small and medium-sized businesses like restaurants, better manage and mitigate their cybersecurity risks.
Think of a framework as a recipe for success that defines the ingredients needed for a cybersecurity operation to meet your restaurant’s needs.
The National Restaurant Association (NRA) has been proactive in helping its members adopt the NIST CSF 1.1. The NRA created and distributed the “Cybersecurity 101: A Toolkit for Restaurant Operators” guide that details the five core functions of the original framework – Identify, Protect, Detect, Respond, and Recover.
The updated CSF 2.0 is expected to be even more accessible and applicable for small and medium-sized businesses like restaurants than the original NIST 1.1.
The CSF 2.0 recipe includes a new “Govern” function to drive leadership support and alignment with enterprise risks. This addition supports a trend we are seeing with an increased emphasis on regulations, cyber insurance requirements and contracts pressing the idea that it is a fiduciary duty of management and not just a technology topic.
The new Govern function supports the five original functions. An operator must Identify its assets, and implement controls to Protect those assets. Protection is never perfect, so the CSF includes control objectives that provide the tools and processes to Detect problems with those assets. In the event a problem interferes with confidentiality, (e.g., PCI data, customer data, trade secrets, employee data, etc.) or integrity (i.e., threats to the accuracy of important data and information), the CSF provides tools and processes to Respond and Recover after an incident.
The framework also has an expanded focus on supply chain security, which is crucial for restaurants that rely on various vendors and suppliers, as many operators learned with last year’s NCR Aloha ransomware incident.
NIST has emphasized that CSF 2.0 is designed to be flexible and adaptable for organizations of all sizes and sectors. The framework provides guidance on outcomes and objectives rather than prescriptive implementation details, allowing restaurants to tailor it to their unique needs and risk profiles.
The NRA has hosted NIST for presentations during association events, including webinars and executive study groups, to help educate and enable restaurant operators to adopt the framework. This demonstrates the NRA’s commitment to empowering its members to strengthen their cybersecurity posture using the NIST CSF.
Overall, the adoption of CSF 2.0 by restaurant operators is expected to grow as the NRA and NIST continue to provide resources, education, and sector-specific guidance to help this industry better manage its cybersecurity risks. The flexibility and scalability of the updated framework make it a valuable tool for restaurants of all sizes to strengthen their cybersecurity posture.
GBQ’s IT Services team specializes in measuring a firm’s cyber risks against the control objectives in the NIST CSF and helping firms improve their security posture after the risk assessment. Please get in touch with your GBQ advisor to learn more.