nist 2 update blog

NIST’s Cybersecurity Framework 2.0: What’s New And How To Get Started

Cyber-risk management cannot live in a vacuum. And while high-level best practices might remain largely the same over a period of years, both the threat landscape and the challenges facing compliance teams have evolved significantly over the past decade. That’s why one of the most popular guidelines out there is getting a refresh.

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) was first published in 2014 following an executive order from then-President Barack Obama. Its first significant refresh is now published. The hope is that it will help global organisations meet today’s and tomorrow’s challenges while being more straightforward to use than the original CSF. There’s much to be optimistic about.

A Background To The CSF

The CSF is voluntary and was initially intended for critical national infrastructure (CNI) organisations. However, its clarity and thoroughness in highlighting cybersecurity best practices made it one of the most popular frameworks among US and global organisations—whatever their sector.

It’s built around five key functions:

Identify:

Create a record of the organisation’s hardware, software and data assets. Publish a policy outlining roles and responsibilities for anyone with access to critical data, including partners and suppliers. Also, create a procedure for incident response and remediation.

Protect:

Physical and technical controls for safeguarding critical assets. It could include backups, user education, encryption, access controls and regular updates.

Detect:

Monitor for unauthorised access and unusual network activity.

Respond:

Build a plan for incident notification (to customers, regulators, shareholders, etc.), business continuity and incident investigation. This plan should be regularly tested.

Recover:

Repair and restore affected assets/services following a breach and keep employees and customers informed. Enhance cyber-resilience through learning.

As part of the framework, NIST also created four tiers to help firms gauge their maturity in implementing the CSF (Partial, Risk-informed, Repeatable, Adaptive). And it included a step-by-step guide to creating a risk management programme. Broadly speaking, this goes as follows:

  • Scope the project and identify priorities
  • Orientate to understand relevant industry regulations and cyber threats
  • Create a profile to illustrate how risk is currently handled in the organisation
  • Conduct a risk assessment to understand the likelihood and severity of a cybersecurity event that could impact the organisation
  • Create a target profile which will serve as the end goal of the security team
  • Identify the gaps between the current and target profiles to create an action plan, including any resources needed
  • Implement the action plan

What’s New For 2024?

Released in August 2023, the draft version of the CSF (v 2.0) makes several important updates to the original document. Key among these are attempts to broaden the use of the framework, improve guidance on implementation and emphasise the importance of governance:

A New Govern Pillar

This covers organisational context; risk management strategy; cybersecurity supply chain risk management; roles, responsibilities, and authorities; policies, processes, and procedures; and oversight. Additionally, guidance is offered on integrating the CSF with the NIST Privacy Framework and NIST IR 8286.

Expanded Guidance On Use

CSF 2.0 introduces more examples of implementation. It also revises framework profiles to make using them easier during projects. Notional templates are included, which organisations can use or adapt to create profiles and action plans.

Broadening the CSF

The official title has been changed from the Framework for Improving Critical Infrastructure Cybersecurity to the more commonly used CSF. The scope has been updated to reflect use by all organisations, not just those operating CNI.

Additionally, there’s greater emphasis on supply chain security, with new links to NIST SP 800-55. The importance of continuous improvement is also given more weight through a new “improvement” category under the Identify pillar.

A Step In The Right Direction

Experts broadly welcome the CSF refresh. Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea, tells ISMS.online that after nearly a decade, a new version was needed to take account of changes in the threat landscape.

“Expanding it to more organisations is the right approach in bolstering resilience against the vast array of cyber-threats they face,” he adds. Simplifying the CSF will also make it easier to adopt the framework, enabling more organisations to raise their level of security protection.”
Netography’s CEO, Martin Roesch, also praises the new “Govern” pillar.

“Adding governance to the NIST Cybersecurity Framework is a key step in helping organisations show proof that their infrastructure aligns with their policies at any given time, and it allows security teams to have a way of measuring how effectively their system is operating,” he tells ISMS.online.

“By expanding the scope of the CSF and improving the implementation guidelines, NIST is providing a larger swath of organisations with a strong roadmap to achieving information security and risk management success regardless of size or industry vertical.”

However, at the same time, Roesch argues that some organisations may struggle to apply governance principles to their environments, “especially if they have diverse technologies, systems, and processes.” He also warns that resource constraints may prohibit the continuous monitoring needed to “establish and maintain robust cybersecurity governance” against a backdrop of rapidly evolving network security architectures. He describes social media governance, in particular, as a “Pandora’s Box” of privacy and security challenges.

Thus, implementing even a streamlined, more user-friendly CSF may be challenging for some organisations. But an information security management system (ISMS) could help, says Delinea’s Carson.

“It can outline examples of how to use the CSF 2.0 Reference Tool and give an understanding of what real-world implementations look like,” he says. “As more organisations observe their peers successfully deploying and implementing the CSF, and how they map to the reference tool, it will encourage others to quickly follow.”

Last Edited: March 6th, 2024
Author

Phil Muncaster

Phil Muncaster has been an IT journalist for 15 years. He started out as a reporter on enterprise IT title IT Week in 2005 and progressed to the role of News Editor before leaving to pursue a freelance career. Since then, Phil has written for titles including The Register, where he worked as Asia correspondent whilst based in Hong Kong for over two years, MIT Technology Review, SC Magazine, Infosecurity Magazine and others.

View all posts by Phil Muncaster

Related Posts

ISMS.online now supports ISO 42001 - the world's first AI Management System. Click to find out more