NIST releases updated Cybersecurity Framework 2.0

The U.S. National Institute of Standards and Technology (NIST) has long been a useful source of resources to help cybersecurity teams evaluate needs, plan investments, and implement best practices. In 2013 it published the NIST Cybersecurity Framework (CSF) as the primary repository for guidance on establishing effective cybersecurity practices.

Back in 2022, we published a blog post designed to help you navigate and implement the guidance offered in the CSF. And in 2023, another post reported on the fact that NIST was working on a major update to the CSF.

Now comes the news that the updating process is complete and CSF 2.0 has been officially published. So, let’s have a look at what’s changed and how those changes may affect your efforts to understand, implement, and maintain cybersecurity best practices.

Three key changes

The most significant updates in CSF 2.0 fall into three categories:

1. Intended audience
2. Changes to core functions
3. Attention to privacy concerns and to emerging technologies such as artificial intelligence (AI)

Audience

When it was released in 2013, the original NIST CSF was specifically and explicitly intended to help organizations managing critical infrastructure systems in the U.S. harden their security against cyberattacks. The overall vulnerability of these systems was seen (correctly) as an important strategic drawback, and the CSF was created to address and mitigate that vulnerability.

Of course, the guidance provided in the CSF was valuable and useful to a much wider audience as well, but it could be challenging to identify and implement recommendations that might be relevant to an organization not involved in protecting critical infrastructure.

CSF 2.0 is intended for a much broader audience, and this is the driving force behind some of the changes we’ve seen in the document:

• Overall, the recommendations are more generalized to make it easier for organizations of any size or in any industry to implement them.
• NIST has provided a rich variety of additional resources to assist organizations in more easily defining their own needs and creating relevant plans. These include an assortment of Quick-Start Guides, templates and pre-formatted Organizational and Community Profiles, a fairly comprehensive set of FAQs, Informative References, and more.
• CSF 2.0 is organized to align with the National Cybersecurity Strategy signed into effect in March 2023 by President Biden.

Core functions

The original CSF identified five core functions:

• Identify — Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
• Protect — Develop and implement appropriate safeguards to ensure delivery of critical services.
• Detect — Develop and implement appropriate activities to identify the occurrence of a cybersecurity incident.
• Respond — Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
• Recover — Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.

CSF 2.0 introduces a sixth function, “Govern.” This function addresses organizational issues, setting expectations at the organizational level, risk management strategy, and policies to streamline key processes. The other five functions have also been restructured, with several categories moved to the Govern function.

While the original CSF did make reference to the importance of ensuring effective organizational structure to enable and encourage information-sharing and collaboration among groups that too often are siloed apart from each other — e.g., IT and Security — it did not provide much in the way of specific guidance to achieve that. Considering how important these issues can be in determining the success or failure of cybersecurity projects, the addition of Govern as a core function is a very welcome improvement.

Privacy and emerging technology

The original CSF did not address AI for the simple reason that it had yet to emerge as a significant factor in cybersecurity, both in terms of threats and security monitoring. And privacy concerns were largely ignored in that document as well.

Since then, NIST has published two new framework documents:

• NIST Privacy Framework
• NIST Artificial Intelligence Risk Management Framework (AI RMF)

CSF 2.0 is designed to be used in tandem with these other frameworks, enabling organizations to engage a unified process for improving comprehensive cybersecurity, hardening privacy protections, and managing emerging-technology risks.

Welcome improvements

The overarching theme of my 2022 blog post about NIST CSF was that the document was quite daunting and challenging to navigate for most security teams, especially in the SMB category, but that it was still of immense value if used systematically to help with specific projects.

I’m happy to report that the updated CSF 2.0 goes a very long way to addressing that difficulty. The restructuring of core functions and the addition of the Govern function, along with the wealth of accompanying documents and resources, mean that now it is far easier for teams with limited personnel and resources to make use of its recommendations and implement best practices, as well as to set up iterative processes to achieve continuous improvement over time.