Navigating the Changes in NIST CSF 2.0

On February 26, 2024, the National Institute of Standards and Technology (NIST) released the NIST Cybersecurity Framework (CSF) 2.0. The release of NIST CSF 2.0 marks the framework’s most significant updates since its inception in 2014.

The initial introduction of NIST CSF was released to help organizations understand and mitigate cybersecurity risk, with a focus on Critical Infrastructure Cybersecurity. Due to the significant increase in cybersecurity-related risk across multiple industries, CSF 2.0 is designed for organizations in all industries and of all sizes. NIST CSF 2.0 aligns to support the National Cybersecurity Strategy signed into effect in March 2023 by President Biden.

CSF 2.0 Update Takeaways

Function Definition

CSF 2.0 revamps the definition behind each of the six functions to create a more broadly understood and applicable definition of its contained categories and subcategories, creating a defined outcome based upon the cumulative actions performed within each function. For example, Protect, “Safeguards to manage the organization’s cybersecurity risks are used.” This differs from the previous version CSF 1.1 with a definition of “Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.”

Governance Function

NIST CSF 2.0 adds a sixth function, Govern (GV), to address an organizations cybersecurity risk management strategy, expectations, and policy to define outcomes related to achieving prioritized based outcomes across the other five functions (Identify, Protect, Detect, Respond and Recover) of the framework.

Framework Organizational Implementation:

The framework provides a five-step process:

  1. Scope the Organizational Profile
  2. Gather the information needed to prepare the organizational profile
  3. Create the Organizational Profile
  4. Analyze the gaps between the Current and Target Profiles and create an action plan
  5. Implement the action plan, and update the Organizational Profile, repeat

This repetitive process explains how organizations could use an Organizational Profile, to create a continuous improvement circle surrounding cybersecurity through a repetitive process, in similar concept to NIST 800-37 Risk Management Framework and its repetitive seven step process to create a risk-based approach for managing activities within the system development lifecycle. 

Quick Start Guides

NIST released five Quick Start Guides (QSGs):

  1. Small Business (SMB)
  2. Creating and Using Organizational Profiles
  3. Using the CSF Tiers
  4. Draft Cybersecurity Supply Chain Risk Management
  5. Draft Enterprise Risk Management Practitioners

Each QSG are brief documents focused on specific CSF-related topics, tailored to specific audiences, aimed to help the organization within focus to implement the CSF framework. NIST plans to revise, and provide new guides as needed.

Privacy and Emerging Technology

Cybersecurity risk management is an integral part of addressing privacy concerns, and emerging technologies (e.g., Artificial Intelligence). CSF 2.0 was designed to be utilized in tandem with the NIST Privacy Framework and NIST Artificial Intelligence Risk Management Framework (AI RMF) to help address various aspects of cybersecurity and privacy-related risks, in addition to emerging technology-related risk concerns.

The release of NIST CSF 2.0 and all updates within the framework are aimed to help all organizations to manage and reduce their cybersecurity-related risks, and ultimately improve the maturity levels of their cybersecurity programs. The specific outcomes prescribed within the framework provide actionable items that organizations can utilize to address defined risks. The additional supplementary information provided by NIST provides targeted information on how the framework can be utilized across various industries.

CompliancePoint’s team of cybersecurity experts can help your organization design, implement, and manage a security program that will meet NIST standards. Contact us at learn more about how we can help.

Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.