What do I need to know about the updates to the NIST CSF 1.1 framework in Drata?
When the NIST CSF framework was first made available in Drata it was released with only the requirements (i.e., NIST CSF Controls). As we work to improve the experience in Drata, we listened to your feedback and have made the following updates:
We added DCF control mapping to all requirements, 170 controls in all. Note: the only thing updated here was the mapping itself; any customization to your controls were not altered.
We added 2 additional controls relevant to NIST CSF specifically
We updated 2 existing controls in the DCF Controls Library with minor and non-material changes (DCF-54 and DCF-283).
Updates were made to 4 existing policy templates (see below how to access these updates)
How do these changes affect me and what should I do next?
When these changes were rolled out, you may have noticed a change in your readiness for the NIST CSF framework. Here are the steps you need to take in order to stay on track with your compliance goals for this framework.
Review the mappings of requirements to controls
Determine if any new controls are out of scope for your organization
Ensure the DCF controls that are in scope have the necessary evidence
Review, update, and approve the new policies and policy template revisions and have your personnel accept them
How do I update to the latest policy templates?
The following policy templates have been updated for the NIST CSF 1.1 framework:
Asset Management Policy
Risk Assessment Policy
Risk Assessment Policy (Privacy version)
System and Information Integrity Policy
To update to the latest policy templates, go to Policy Center and click on the edit icon next to each of the above policies. From here, click on the 'Actions' button, and select 'Revert to Latest Template' (or 'Restart with Latest Template' if you had uploaded a custom policy). Review and edit the policy as you see fit, then follow the usual policy approval workflow.