The National Institute of Standards and Technology (NIST) is a non-regulatory agency within the US Department of Commerce. NIST serves as an unbiased source of scientific data and practices, including cybersecurity practices. Among NIST's many frameworks, the Cybersecurity Framework (CSF), released in 2014, aims to assist organizations in protecting their critical infrastructure from cyberattacks using five core functions: identify, protect, detect, respond, and recover.
What's New? Key Changes in the Latest NIST Cybersecurity Framework Update V2.0
The CSF has undergone a couple of updates since its initial publication. NIST CSF version 1.1 was released in 2018, a detailed list of additional updates from NIST CSF version 1 to version 1.1, can be found in NIST's Cybersecurity Framework v1.1 report.
The NIST CSF version 2.0, released in February 2024, “represents a significant change to the cybersecurity framework,” Tom Conkle stated. Over the past ten years, the framework has only been updated with version 1.1 in 2018. Conkle and his colleague, Kelly Hood, both Cybersecurity Engineers at Optic Cyber Solutions, e explained in their RSAC 2024 webcast that CSF v2.0 now has six functions, 22 categories, and 168 subcategories. This reduction in categories is due to the realignment and consolidation of certain elements, Hood explained.
Four key changes have been introduced in CSF version 2.0:
1. Govern Core Function
The most significant change in the NIST CSF version 2.0 is the addition of a new function: Govern (Fig.1). This function includes six categories that emphasize the importance of governance and leadership in cybersecurity management to mitigate potential risk (Fig. 2).
Figure 1.
Figure 2.
2. Revamped the Respond and Recover Function
The NIST CSF v2.0 has revamped the Respond and Recover function to increase focus on the practical and impactful cyber incident response outcomes. In previous versions, these functions were less detailed. This update ensures a more comprehensive approach to incident response and recovery.
Below highlights the new changes from v1.1 to v2.0.
CSF Version 1.1
CSF Version 2.0
3. New Category for Supply Chain Risk Management
Supply Chain Risk Management moved from an Identity function to a Govern function. The Secure Software Development category also shifted under the Govern function, and this category is split into ten subcategories—enabling organizations to effectively identify, establish, manage, and monitor supply chain risk management processes.
4. Enhanced Implementation Guidance
Aiming to be more inclusive, v2.0 provides guidance and resources for organizations of all sizes and industries, not just those in the critical infrastructure industry. NIST has expanded the CSF’s core guidance and developed related resources to help users understand the farmwork. NIST has come out with resources that provide different audiences with tailored pathways into the CSF and make the farmwork easier to put into action.
To read more about the NIST CSF Version 2.0, visit their cybersecurity framework page.
The Ripple Effect: How the Updated NIST Cybersecurity Framework Impacts Organizations
The v2.0updates now provide more focus and guidance on managing risks, helping users learn more about selecting specific outcomes for reducing cybersecurity risks and efficiently strengthening cyber defenses.
Still, implementing NIST CSF v2.0 can be challenging, despite its many benefits and opportunities. Below outlines a few common challenges.
Framework Complexity
The addition of new elements, specifically the Govern function necessitates a reassessment of potential restructuring on governance policies and procedures. Adding new procedures and policies may be daunting for organizations, especially small and medium-sized enterprises that may not have the budget, resources, or cybersecurity expertise to comply with the framework. Chief Infromation Security Officers (CISOs) must prioritize resource allocation to mitigate security risks effectively and comply with CSF v2.0 and other security policies and regulations.
Alignment
In a 2023 presentation with Hood and Greg Witte, Sr. Cybersecurity Engineer at Palydin, LLC, Witte explained one of the challenges he has heard from people is that the standards are always changing. For example, when NIST releases a PDF with references and helpful resources on how to follow NIST CSF, the standards change after the PDF was released. Witte explained, "When you're pointing to a community that is constantly changing, as it should be, it gets difficult to point to references." This revolving door can be hard for organizations to align with not only NIST CSF standards but other cybersecurity standards as well.
Training Employees
Training employees in an organization to understand v2.0 changes and how they can implement it to ensure they’re following the correct regulations and policies is critical. However, sometimes a significant shift within an organization can be met with resistance and integrating cybersecurity into broader business processes and objectives is also challenging.
Putting the NIST Cybersecurity Framework into Practice: Best Practices and Tips
Below outlines best practices and tips for organizations to consider when implementing the NIST CSF v2.0.
1. Understand the Framework: Take the time to understand the NIST CSF 2.0 core functions and tiers. To successfully adopt the framework, an organization must have a fundamental understanding of it.
2. Create an Organizational Profile: An organization should create a personalized organizational profile and compare its current and target profiles. By comparing these profiles, an organization can identify business objectives, gaps, and necessary actions to improve its cybersecurity posture. NIST provides a free, customizable CSF Organizational Profile template; the quick-start guide can be found here.
3. Continuous Monitoring: After implementing the NIST CSF v2.0, an organization should monitor, review, and update the organizational profile, when necessary, as the cybersecurity regulations, policies, and frameworks are constantly evolving.
Yes, implementing NIST CSF v2.0 can be challenging, but when done correctly, it significantly benefits an organization's security posture. Given the increasing sophistication of cyberattacks and threats, it's crucial for organizations to follow this framework alongside other cybersecurity frameworks, policies, and regulations. NIST provides many free resources and tools on its website and those who are interested in a detailed understanding of the evolution, check out this 2018 webcast.