Empowering Cybersecurity Resilience: Exploring the NIST Cybersecurity Framework 2.0

There are many cybersecurity regulations and frameworks that security leaders use to establish a baseline for security posture inside their organization. Some are driven by sector-specific requirements, such as the Health Insurance Portability & Accountability Act (HIPAA) or the Payment Card Industry Data Security Standard (PCI DSS). Others are more cross-industry aligned including ISO 27001 and the Center for Internet Security (CIS) Critical Security Controls. Arguably the most widely adopted, however, is the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).

First introduced in 2014 and updated to v1.1 in 2018, NIST CSF has become a key tool for security teams in reducing cyber risks and establishing effective cybersecurity programs. Although it is only mandatory for federal agencies (and potentially their suppliers), it has also been adopted worldwide. This is due in part to the simplicity of its approach which has been based around five core functions: Identify, Protect, Detect, Respond and Recover.

It’s five years since the last major revision of NIST CSF, and much has happened in that time in the technology world including the huge growth in cloud computing, the shift to hybrid working, as well as the emergence of the supply chain as a significant attack vector.

Introducing NIST CSF 2.0

NIST started a consultation process in February 2022, which received submissions from 130+ organizations including Microsoft, American Airlines and a collective response from a number of security vendors and notable practitioners.

NIST spent more than a year reviewing the feedback from the wider security community and released the draft version of CSF 2.0 on August 8, 2023, starting a draft feedback process that will run until November 4, 2023. Interested parties will also have the chance to attend a workshop to share draft feedback from September 19-20.. The final version of NIST CSF 2.0 is expected to be published in early 2024.

According to the lead developer of the new framework, NIST’s Cherilyn Pascoe, [with this update] we are trying to reflect current usage of the Cybersecurity Framework, and to anticipate future usage as well.” She also noted that the new draft reflected feedback from the respondents that they needed “more guidance on implementing the CSF and making sure it could address emerging cybersecurity issues, such as supply chain risks and the widespread threat of ransomware.”

What’s new in CSF 2.0?

The headline around this new version of CSF is definitely the addition of a new function. While CSF 1.1 focused on five core functions of an effective cybersecurity program mentioned before, CSF 2.0 introduces a sixth function: Govern.

NIST Cybersecurity Framework 2.0 includes six phases: identify, protect, detect, respond, recover, govern.

This addition acknowledges the growing recognition of cybersecurity as a critical enterprise risk, on par with legal, financial, and other considerations for senior leadership. By incorporating the govern function, CSF 2.0 emphasizes the need for organizational leadership to actively engage in cybersecurity governance and risk management.

Elements including under the new Govern function include defining risk management objectives, organizational ownership, legal and regulatory requirements. It also covers external stakeholders to reflect the growing importance of maintaining cyber governance across the extended supply chain.

Closing the Gap: Enhanced implementation guidance in v2.0

Recognizing the importance of practical implementation advice, CSF 2.0 draft offers improved and expanded guidance to assist organizations in effectively implementing the framework. This enhanced guidance aims to bridge the gap between theory and practice, enabling organizations to translate the principles of the framework into actionable cybersecurity measures.

CSF 2.0 provides comprehensive instructions on creating profiles tailored to an organization’s unique risk landscape, facilitating the practical application of the framework. CSF was originally designed for government agencies and critical national infrastructure; these changes are intended to make it more consumable to a wider range of industry sectors and less complex, smaller businesses that are increasingly a target for ransomware gangs.

Seizing the Future of NIST CSF 2.0’s Upcoming Enhancements

As stated earlier, the deadline for public comments is November 4, so now is a good time to review the current draft. NIST also plans to release a CSF 2.0 reference tool over the coming weeks which will allow users to browse, search and export CSF 2.0 core data in a format that is machine readable to help facilitate that process.

By expanding the scope, introducing the govern function, and improving implementation guidance, CSF 2.0 empowers organizations to enhance their cybersecurity posture and effectively manage cybersecurity risks. Organizations that embrace CSF 2.0 can establish a strong foundation for a proactive and resilient cybersecurity strategy, safeguarding their assets and future-proofing their operations in an increasingly interconnected digital landscape.

Ready to fortify your organization’s cybersecurity strategy with the power of NIST CSF 2.0? Join an upcoming live demonstration to see how Noetic can help.