What's New In The NIST Cybersecurity Framework Version 2.0

In recent years, the global digital landscape has become increasingly volatile, with cybersecurity threats evolving at an unprecedented rate and the costs of a data breach increasing consistently year over year. As organizations scramble to implement robust cybersecurity programs and policies, the National Institute of Standards and Technology's (NIST) Cyber Security Framework (CSF) version 1.1 (2018) has emerged as a standard high-level policy framework that's straightforward and popular. Its structured phase-based approach to mitigating cybersecurity risk has been widely adopted by organizations seeking to strengthen their security postures.

The recent release of NIST CSF Version 2.0 on February 26, 2024, marks a significant evolution, reflecting the latest insights and practices in the field of cybersecurity. In this article, we will provide a comprehensive review of the new additions and changes introduced in NIST CSF Version 2.0, offering insights into how these updates can empower organizations to further fortify their defenses against the ever-growing spectrum of cyber threats.

What's New In NIST Cybersecurity Framework 2.0?

The NIST CSF version 1.0 was first released in 2014 and has not had a major update since its creation. Looking at the summary diagrams between the first and newly released versions, on the surface, it's not obvious what has changed. According to NIST, CSF 2.0 addresses the following needs: 

• While the CSF 1.0 was focused on critical infrastructure, CSF 2.0 seeks to support all types of organizations 

• CSF 2.0 includes updated core guidance

• CSF 2.0 includes a robust set of online resources to support understanding and implementation

• CSF 2.0 has an increased emphasis on governance and supply chain security

At first glance, both frameworks share the same high-level process. However, CSF 2.0 includes a new phase called "Govern": 

1. Identify: Establish a comprehensive understanding of the organization's systems, assets, data, and capabilities to manage cybersecurity risk to those resources

2. Protect: Implement safeguards to ensure delivery of critical services, aiming to limit or contain the impact of a potential cybersecurity event

3. Detect: Develop and deploy appropriate activities to identify the occurrence of a cybersecurity event in a timely manner

4. Respond: Execute a planned response to detected cybersecurity incidents to contain and mitigate their impact

5. Recover: Implement strategies to restore any capabilities or services impaired due to a cybersecurity incident, ensuring timely recovery to normal operations

6. Govern: Establish and maintain a governance structure that defines roles, responsibilities, and processes to align cybersecurity strategy with organizational goals, risk appetite, and regulatory requirements

NIST CSF 2.0 Has Added Governance Activities

The most obvious new addition to the NIST Cybersecurity Framework (CSF) is the introduction of a new Govern function.

The Govern function is positioned at the core of the NIST CSF 2.0 framework indicating that governance needs to underlie all other functions and emphasizing cybersecurity's significance as a primary source of enterprise risk, including financial and reputational risk.

Additional Resources Available For CSF 2.0 

Organizations are rapidly increasing cybersecurity operations due to the increased risk of ransomware and increased pressures from government regulation and cyber-insurers demanding more extensive compliance requirements. This also coincides with an acknowledged IT security talent shortage, meaning many organization's are expanding their cybersecurity policies and activities under duress. CSF 2.0 seems to also adjust for these organizational challenges by greatly expanding the available resources and tools to support cybersecurity program growth. 

NIST has also expressed a commitment to enhancing CSF resources and encourages feedback from the community to improve CSF's effectiveness and completeness. 

Here is a list of newly available NIST CSF 2.0 resources.

Introduction of CSF 2.0 Reference Tool Simplifies CSF Implementation

The new reference tool for NIST CSF streamlines the implementation process for organizations, enabling users to easily navigate, search, and export filtered data and essential details from the CSF's core guidance in both human-readable and machine-readable formats.

For example, a search for the term "encryption" highlights the CSF 2.0 Protect function processes: "Identity Management, Authentication, and Access Control (PR.AA)" and "Data Security (PR.DS)", highlighting the importance of encryption to protect data and its use in robust authentication schemes. 

CSF 2.0 Searchable Catalog Of Information References

The CSF 2.0 provides organizations with a searchable catalog of informative references, facilitating cross-referencing of the CSF's guidance with over 50 other cybersecurity documents.

The Online Informative Reference Catalog serves as a comprehensive repository for the National Online Informative References (OLIR) Program, including all validated Reference Data, Informative References, and Derived Relationship Mappings (DRMs). This catalog adheres to the standards set by the NIST Interagency Report 8278A Rev. 1 (Final) and offers a platform for developers and users to access and analyze reference data. It features both draft content under public review and finalized materials.

The Cybersecurity and Privacy Reference Tool (CPRT)

The Cybersecurity and Privacy Reference Tool (CPRT), provides links to NIST's comprehensive set of guidance documents such as the NIST Special Publications (SP) 800 series. This resource contextualizes NIST materials, including the CSF, alongside other widely used references. Additionally, the CPRT facilitates communication between technical experts and the C-suite, ensuring alignment across all levels of the organization.

Quick Start Guides And Implementation Examples

NIST CSF 2.0 includes a total of five quick-start guides that include implementation examples meant to serve as targeted support for all types of organization's to streamline the CSF 2.0 adoption process.

NIST’s CSF 2.0 Quick Start Guides (QSG) include:

• Guide for Small Business (SMB)

• Guide for Creating and Using Current and/or Target Profiles

• Using the CSF Tiers

• Guide for Supply Chain Risk Management (C-SCRM)

• Guide for Enterprise Risk Management (ERM) Practitioners

Conclusion

The release of NIST CSF Version 2.0 signifies a significant evolution in the field of cybersecurity, offering updated guidance to address emerging challenges. The introduction of the Govern function underscores the importance of cybersecurity risk management governance, positioning it as a central pillar within the framework. CSF 2.0 expands its reach to support various types of organizations beyond critical infrastructure, emphasizing governance and supply chain security.

Moreover, the availability of additional resources, such as the CSF 2.0 Reference Tool and the Cybersecurity and Privacy Reference Tool (CPRT), streamlines implementation and facilitates cross-referencing with other cybersecurity documents. NIST remains committed to enhancing CSF resources and welcomes community feedback to further improve effectiveness and completeness. Overall, these updates empower organizations to bolster their cybersecurity defenses amidst evolving threats and organizational challenges.

Looking for more cybersecurity updates and news? Sign up for our informational zero-spam newsletter.