Top Insights into the NIST Cybersecurity Framework 2.0

March 28, 2024

10 years following the release of the initial version, the National Institute of Standards and Technology (NIST) released a new Cybersecurity Framework (CSF) in late February 2024. The NIST CSF version 2.0 has made a major transition away from focusing on critical infrastructure, as indicated in its previous title of version 1.1, “Framework for Improving Critical Infrastructure Cybersecurity." The new version has a broader focus in what NIST describes as a goal “to help all organizations manage and reduce cybersecurity related risk.” The new CSF stresses the importance of how cybersecurity risk is a component of, and must be integrated with, each organization's enterprise risk management (ERM) approach.

The NIST Cybersecurity Framework (CSF) 2.0

New Focus on Governance

Formerly, Governance was a category within the Identify function [ID.GV] containing only 4 subcategories. On elevation of the former category to a CSF function [GOVERN], containing 6 categories and encompassing 21 subcategories, it provides additional encouragement to senior business leaders to consider cybersecurity alongside other major organizational risks such as finance and reputation. NIST has recognized governance as an essential and wide-ranging function, which they link to each of the other five functions. This linkage was not explicitly defined in the CSF 1.1, and organizations often overlooked it when implementing their security controls.

This governance function supports CISOs as they explain and discuss information security in terms their senior leadership team and board of directors can understand—perhaps for the first time.

In support of this framework, NIST has released a set of informative reference examples and quick start guides to help organizations adopt the CSF 2.0. Are they complete? Not yet, but they will evolve over time as adoption of the CSF 2.0 becomes more widespread. The content provided is a significant improvement over content provided for V1.1 of the CSF and is of great assistance to help organizations understand the value and benefit of CSF Profiles in terms of precisely identifying what needs to be protected the most and what can suffice with lesser protection. This eliminates unnecessary costs associated with a one-size-fits-all approach to managing cybersecurity.

Tailored Guidance with Organizational Profiles and Tiering

NIST has always maintained that adoption of the CSF should be tailored to the organization, but many argued the practical execution guidance was lacking. With the CSF 2.0, NIST has devoted considerable effort to explain how CSF Organizational Profiles are useful when tailoring the CSF. Organizations will grow to love this feature, as it provides an understanding of why every category and control is necessary to help them protect their information. Using these Profiles, technical leaders will be able to justify every control related expense in their information security program.

After establishing the CSF Organizational Profiles, security leaders can readily convert these into their information security baseline(s) specifying which security controls to apply where and how to configure them. Further, organizations may see a financial benefit if they do not have to implement and manage technologies and processes for unnecessary controls without impacting their overall security posture.

In the 2.0 version, CSF Tiers have been refocused from serving as framework implementation Tiers in version 1.1 to "[characterizing] the rigor of an organization's cybersecurity risks and the processes in place to manage those risks." This means leaders can leverage the CSF Tiers to provide context for how an organization views cybersecurity risks and the processes in place to manage those risks.

NIST continues using the same number of CSF Tiers and naming conventions, but now they describe a progression from informal, ad-hoc responses to approaches that are agile, risk informed and continuously improving. Of particular note, version 2.0 of the CSF no longer contains the language from version 1.1 indicating the following: "Tiers do not represent maturity levels. Tiers are meant to support organizational decision making about how to manage cybersecurity risk, as well as which dimensions of the organization are higher priority and could receive additional resources." The CSF 2.0 recommends using their Tiers “to communicate internally as a benchmark for an organization-wide approach to managing cybersecurity risks.”

Assuming an organization has defined its CSF Organizational Profile(s) and developed an enterprise-wide security baseline, applying this baseline across the enterprise will help to achieve key outcomes. Establishing a CSF Organizational Profile and associated baseline allows the organization to measure, and importantly, report progress and issues to executive leadership about how compliant the organization is as defined in its security baseline. This is important because if a compromise does occur, the information security and IT teams can zero in on the specific aspects of the baseline that were either out of compliance or did not adequately apply the level of protection needed. Before resolving the issue, they will have the documentation to prove their findings. The baseline to the non-compliant technologies and processes will rapidly resolve issues and bring information security back toward compliance with the organizations’ previously documented needs in the CSF Organizational Profile.

Supply-Chain Security Management

The CSF 2.0 has now included an associated suite of documentation to assist with addressing supply-chain security management issues. We have all heard about issues with supply-chain security, but until the CSF 2.0, relatively little formalized guidance has been available outside of ISO 28000:2022 to help organizations better protect their supply chain. I will discuss more of the differences between the CSF and ISO in the summary section.

Changes to Security Functions, Categories and Outcomes

The CSF 2.0 has made some changes to the overall number of security functions, categories and subcategories (or outcomes), as shown below:

While the changes in the numbers are minimal, the breakdown of the framework functions is positive and encourages widespread use of CSF Profiles. The framework now adopts a business focus, whereas previously it was a predominantly technical focus centered around technical security controls. The former approach was far more difficult to discuss at the board level. It was often considered to be ‘too technical’ and required too much explanation.

Summary

The NIST CSF 2.0 will no doubt create a lot of interest. To support that interest and offer more practical guidance, NIST is rapidly creating examples, crosswalks, templates and technical details describing how to successfully implement the CSF 2.0. But today, the materials available, while good, do not address everyone's requirements. As with the CSF 1.0 and 1.1, these materials will take time and experience to create and evolve.

But this should not deter organizations from considering and implementing an information security program based on the CSF 2.0. As part of the update, NIST has eliminated the term, “critical infrastructure,” in the specification and made the framework more broadly applicable to virtually any industry. This change should also eliminate some organizations' fears that the framework is "too government focused." Consideration of supply-chain security management has been a major step forward. Although it is speculative and entirely dependent on NIST, perhaps in future updates NIST may consider extending the CSF to address architectural considerations currently driven by vendors, or others, rather than by organizational business security needs.

In comparison with other security frameworks and best practices offered by ISO and CIS, the CSF takes a broader organizational approach. The difference between the CSF and ISO is that the CSF provides a single framework that organizations can develop their program with, whereas ISO provides a prescriptive standard on how to select and manage the controls implemented. The NIST CSF 2.0 is focused more strongly than ever on cybersecurity management, and this is a radical departure away from other security frameworks such as CIS, which focus mostly, if not exclusively, on technical security controls. The CSF dives deeper by more fully supporting effective communication between the information security and IT management teams and their senior leadership.

Next Steps

As with the NIST CSF 1.1, organizations new to the CSF will need time, and perhaps assistance, to determine if the CSF 2.0 meets their needs. Current adopters of the NIST CSF 1.0 or 1.1 should evaluate what the changes will mean to their program and whether the transition cost associated with the change is justifiable or not.

Optiv believes that the cost and effort associated with either adopting the CSF 2.0 initially or transitioning to the CSF 2.0 is more than outweighed by the governance, supply chain guidance and management benefits that you could gain. The key thing to remember is that the CSF guidance is not exclusive to Windows, Mac or Linux systems. The CSF focuses on protecting the information that your organization depends on.

If you need help implementing guidance from the NIST CSF 2.0 framework at your organization, reach out to us at Optiv.