What's New with NIST CSF 2.0

Image source: https://www.nist.gov/news-events/news/2024/02/nist-releases-version-20-landmark-cybersecurity-framework

The National Institute of Standards and Technology (NIST) is set to publish version 2.0 of its Cybersecurity Framework (CSF) this month. The framework, which was originally released in 2014, was created as a tool to help organizations reduce cybersecurity risks and threats. What makes NIST CSF so enticing as a tool for risk reduction is its versatility, allowing for organizations of all industries, sizes, and maturities to take advantage of its guidance. In this blog post, we’ll explore the changes made to NIST CSF 2.0, and how you can help keep your organization aligned to the framework.

So, What’s New?

The current version of the framework, version 1.1, employs five (5) functions: Identify, Protect, Detect, Respond, and Recover. Associated with these functions are twenty-three (23) categories, and one-hundred-and-eight (108) subcategories which span across a variety of cybersecurity topics, such as Risk Management, Asset Management, and Awareness and Training.

NIST CSF version 2.0 adds a sixth function, Governance, to the mix, offering emphasis on organizational strategy, policy, and expectation with an emphasis on risk. Now with twenty-two (22) categories and one-hundred-and-six (106) subcategories, the new release organizes itself in a more actionable fashion, leveraging the new Governance function to inform practices in the functions that follow.

Further, the updated version of the framework includes more articulate subcategories, offering more detail to make requirements more readily followable. For example, NIST CSF v1.1 subcategory RC.CO-01 (public relations are managed) and RC.CO-02 (reputation is repaired after an incident) now comprise NIST CSF v2.0 subcategory RC.CO-04: Public updates on incident recovery are properly shared using approved methods and messaging.

Additionally, the new version of the Framework places emphasis on Supply Chain Risk Management. “All types of technology rely on a complex, globally distributed, expensive, and interconnected supply chain ecosystem with geographically diverse routes and multiple levels of outsourcing” (NIST). Supply chain disruptions have trickle-down effects that can hinder the day-to-day operations of any business. “All types of technology rely on a complex, globally distributed, extensive, and interconnected supply chain ecosystem with geographically diverse routes and multiple levels of outsourcing” (NIST).

As such, it is imperative that organizations have processes in place to evaluate their third-parties based on criticality and potential risk. These practices will enable planning prioritization, as organizations should use the information gleaned from such assessments to inform Incident Response, Business Continuity, and Disaster Recovery efforts. In turn, preparedness is fortified and supply chain disruptions that adversely affect the organization will be less detrimental.

What Does This Mean for Me?

While the updates to NIST CSF may seem significant, those organizations who are already compliant with NIST CSF version 1.1 will be happy to know the road ahead is fairly seamless. “The NIST Cybersecurity Framework was intended to be a living document…these updates help the Framework keep pace with technology and threat trends, integrate lessons learned, and move best practice to common practice” (NIST).

Rather than using NIST CSF 2.0 to rewrite the book, the team at NIST largely reshuffled and renamed the categories and subcategories us cybersecurity experts have come to know. For example, version 1.1 categories Business Environment (ID.BE) and Governance (ID.GV) have simply been reallocated, now comprising categories like Organizational Context (GV.OC) and Oversight (GV.OV).

For risk assessors, such as K logix, the new NIST 2.0 framework will allow us to build upon even more resources to assist clients. We often recommend NIST CSF partly due to the incredible amount of supporting content. NIST has expanded its content even further with new features such as “Success Stories” and the “Quick Start Guides,” which provide stories and best practices to help guide organizations towards greater maturity. Combined with the benchmark data that K logix has collected from performing dozens of assessments, the individual expertise of our consultants, and our methodology for breaking down NIST into real-world action steps, clients will benefit from applying the new NIST 2.0 Framework in their next K logix led maturity assessment.

Interested in learning more about the updates to NIST? Reach out to the experts at K logix: info@klogixsecurity.com