The new NIST Cybersecurity Framework (CSF) 2.0 framework comes with multiple important and long-awaited updates. It won’t be easy to adopt all of them, but the beauty of this framework is that organizations have the flexibility to determine which controls they prioritize, to what degree they implement them, and, in some instances, if they implement them at all.    

Why the Change?

1.          Evolving Threat Landscape: Cyber threats have become more sophisticated and pervasive. Organizations need a holistic approach that integrates cybersecurity into their overall risk management strategy.

2.          Senior Leadership Engagement: NIST CSF 2.0 emphasizes the role of Senior Leaders in driving cybersecurity decisions. Their involvement ensures that cybersecurity aligns with organizational goals.

3.          Broader Adoption: By expanding beyond critical infrastructure, NIST CSF 2.0 encourages widespread adoption and promotes a culture of cybersecurity awareness.

Aspects of the framework have been restructured with the creation of a new “Govern” Function. Version NIST CSF 2.0 builds upon the success of the original CSF and introduces several enhancements.

• 5 Functions 6 Functions
• 23 Categories 22 Categories
• 108 Subcategories 106 Subcategories

10 Categories have been removed from the CSF, including:

• Business Environment (ID.BE)
• Governance (ID.GV)
• Identity Management and Access Control (PR.AC)
• Information Protection Processes and Procedures (PR.IP)
• Maintenance (PR.MA)
• Protective Technology (PR.PT)
• Detection Processes (DE.DP)
• Improvements (RS.MI/RC.MI) for both the Respond and Recover Functions

11 new Categories have been added or rebranded by NIST, which consist of:

• Organizational Context (GV.OC)
• Risk Management Strategy (GV.RM)
• Policies (GV.PO)
• Roles, Responsibilities, and Authorities (GV.RR)
• Oversight (GV.OV)
• Cybersecurity Supply Chain Risk Management (GV.SC)
• Improvement (ID.IM)
• Identity Management Authentication & Access Control (PR.AA)
• Platform Security (PR.PS)
• Technology Infrastructure Resilience (PR.IR)
• Incident Management (RS.MA)

NIST CSF 2.0 improves upon the alignment of cybersecurity risk with business risk, allowing organizations to prioritize their efforts based on specific needs and potential effects. For example, the Supply Chain Risk Management Category has been moved from the Identify to Govern Function and expanded in recognition of the growing importance of managing third-party risks inherent in interconnected businesses.

The NIST CSF 2.0 framework is structured to be more user-friendly and customizable for organizations of all sizes across different industries, allowing for greater adaptability and scalability as businesses grow or face new challenges.

It’s worth taking the time to review the breadth of improvements to the framework and think about how your organization will adapt while adopting them. In this blog, we’ll focus on the new Govern Function as well as a few of the changes to the Identify, Protect, Detect, Respond, and Recovery Functions.

Govern Function

Governance is critical to the modern cybersecurity program as it bridges the gap between technical controls and the business side of the organization and provides some much-needed structure. It enables organizations to establish accountability for security and risk management practices, increase alignment between information security and the business, and improve their ability to make risk-informed decisions.

According to NIST, “The CSF 2.0, which supports the implementation of the National Cybersecurity Strategy, has an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector.” The changes to the framework are attracting interest from multinational organizations that have been faithful to ISO 27001/27002 for years.

The CSF’s Govern Subcategories emphasize the importance of aligning cybersecurity risk with business risk, and they should be considered alongside others in areas such as finance and reputation.

Identify Function

In NIST CSF 2.0, the Identify Function is focused on identifying and prioritizing assets, vulnerabilities, and threats, which helps organizations better understand and manage cybersecurity risks. By aligning with this Function, organizations will have the ability to identify and act on cyber threats, vulnerabilities, and security risks to ultimately protect critical information, assets, and operations.

Key changes include moving some Identify-related Categories into the Govern Function, including ID.BE – Business Environment, ID.GV – Governance, ID.RM – Risk Management Strategy, and ID.SC — Supply Chain Risk Management. These were moved because they’re more traditional governance-focused Categories. These changes have left the Identify Function with only two Categories. 

However, in the new version of the framework, Identify has one new Category, Improvement, which contains controls that deal with an organization’s ability to synthesize feedback from a wide variety of sources and continuously improve their security measures in order to protect against emerging threats.

Protect Function

The Protect Function is designed to outline appropriate safeguards to ensure the secure delivery of critical infrastructure services. It supports the ability to limit or contain the impact of a potential cybersecurity event.

For example, access to physical and logical assets is limited to authorized users, services, and hardware and is managed relative to the risk of unauthorized access.

Protect is more than a firewall, IDS/IPS, and encryption, although they all have commonalities. NIST CSF 2.0 generalizes by stating that you need configuration management, logging, etc. And that’s universal for all of these, including physical security, which should be integrated into your Security Operations Center (SOC).

Detect Function

The Detect Function aims to identify and monitor any cybersecurity events and focuses on developing and using practices to do this. It helps the organization stay aware of new cybersecurity threats and then act quickly to address them for CSF 2.0. This Function has been reorganized to consolidate the existing controls in use. It now has two Categories: Continuous Monitoring and Adverse Event Analysis.

Respond Function

Respond supports the ability to contain the effects of cybersecurity incidents, with outcomes such as incident management, analysis, mitigation, reporting, and communication. The focus is to minimize the impact of a security event on an organization. The changes here in 2.0 are fairly negligible, with the exception of the reduced emphasis on Business Continuity (BC) within the Respond Function.  

Recovery Function

In CSF 2.0, the Recovery Function description has been simplified: “Restore assets and operations that were impacted by a cybersecurity incident.” This includes creating a disaster recovery plan and an effective communication plan that is coordinated between internal and external parties.

Conclusion

Navigating the changes in the NIST CSF 2.0 can be challenging. Our team can provide unique solutions tailored to help you adopt the NIST CSF 2.0 and seamlessly integrate it into your cybersecurity plan. Request a Consultation Today.