NIST Cybersecurity Framework 2.0 Release Update
What Happened?
During the last week of February 2024, the National Institute of Standards and Technology (NIST) released the awaited final version of the NIST Cybersecurity Framework (CSF) 2.0. This updated version is the latest iteration of the NIST recommended ways to manage and mitigate cybersecurity risks.
Who is Affected?
This latest version of the NIST Cybersecurity Framework is appropriate for more organizations and, with the use of additional tools now available, should be easier to understand and implement. The previous versions, while they were recommended and available to all organizations and sectors regardless of size, were aimed at being applicable for operators of critical infrastructure and were difficult to apply and utilize in some cases. This updated version of the CSF offers a more comprehensive approach to managing and mitigating cybersecurity risks. The new version also emphasizes governance and supply chain security.
What it Means
The CSF 2.0 is designed to help organizations of all sizes and sectors manage and reduce their cybersecurity risks. It does not utilize a one‑size‑fits‑all approach, though. Each organization is unique in their needs and risks, so by necessity, the way CSF is implemented will vary.
The CSF describes outcomes, not prescriptive ways to implement it. It provides objectives and controls to help organizations achieve and manage the desired level of risk mitigation and cybersecurity. The CSF provides long-term guidance to be able to manage cybersecurity and risk over time, as risks expand and evolve in the future.
The NIST CSF 2.0 provides the most up to date government approved best practices to manage cybersecurity risk. It builds on the entire suite of NIST standards and recommendations and will become a key part of the overall steps and procedures to successfully govern and to manage cybersecurity.
A Little Bit of History
The NIST CSF has gone through multiple iterations and evolution over the last ten (10) years since it was initially released as CSF 1.0 in February 2014.
On April 16, 2018, the updated CSF 1.1 was finalized and released. It included multiple improvements in the categories and sub‑categories identified as well as improving the way it could be implemented.
Last summer, on August 8, 2023, the draft version of the updated CSF 2.0 was released to the public for review and comment. It officially introduced the new Govern function and remapped, updated, added, or removed many of the categories and sub‑categories. There were multiple conference calls and improvement recommendations submitted to make the final version more flexible and apply better to more organizations.
Now, as of February 26, 2024, the final version of the CSF 2.0 has been released. There were changes made to the wording in the categories and sub‑categories of the draft version to provide a better understanding and clearer meaning on how to apply them. There were also some changes to the category and sub‑category mapping, and some eliminated.
What are the Changes/Differences?
The most obvious change between CSF 1.1 and CSF 2.0 is the inclusion and implementation of the Govern Function.
CSF 1.1 Categories
CSF 2.0 Categories
Some of the other obvious differences include the number of the categories and sub‑categories and the way they map to the functions.
| CSF 1.1 | CSF 2.0 | |
| Functions | 5 | 6 |
| Categories | 23 | 22 |
| Sub‑categories | 108 | 106 |
| Informative References | 6 | Many Tools |
Some of the categories were renamed or renumbered and descriptions updated. Some of the categories and sub‑categories were moved to other functions with the addition of the Govern function to make them more accurately associated with the appropriate function. Some of the sub‑categories were moved for clarity and associated with different categories, some were added, and some were removed.
The definition of the functions, except for the Govern function, were clarified but have not really changed significantly.
Govern Function
- Defines executive leadership requirements in risk and cybersecurity management.
- Clarifies that to be successful, there MUST be buy‑in and support from the highest levels of management and board.
Identify Function
- Understand current cybersecurity risks
Protect Function
- Safeguards and controls to manage cybersecurity risks
Detect Function
- Possible cybersecurity attacks and compromises are found and analyzed
Respond Function
- Actions taken once an incident is detected
Recover Function
- Assets and operations affected by cybersecurity incident are restored
Tools Available
As a part of the release of CSF 2.0, many tools, documents, references, and other resources are also available from various links within the NIST website to aid in the implementation and management of the CSF. The following webpages provide information and links to tools and other resources.
NIST CSF 2.0 Webpage – https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-20/final
Cyber Insights Blog – https://www.nist.gov/blogs/cybersecurity-insights/travel-update-nist-csf-20-herealong-many-helpful-resources
The following documents are available as links from the CSF 2.0 website, and they provide additional information and links from there to additionally useful references as well.
NIST CSF 2.0: Resource & Overview Guide
- Informative References
- Cybersecurity & Privacy Reference Tool (CPRT)
- Implementation Examples
- CSF 2.0 Reference Tool
- Community Profiles and Profile Templates – Help implementation
NIST CSF 2.0 Quick Start Guides
- Multiple different ones to help implementation
- How to use CSF
Ways to provide feedback and improvements about CSF 2.0 are included in the links.
What Does this Mean for the Future?
Right now, CSF 2.0 is only available in English. In the near future, there are plans to have it translated into other languages so it can be better utilized by other countries. There is hope that CSF 2.0 will become a global standard.
At this point, there is nothing forcing any organizations outside of the government to implement the CSF 2.0 standards. There will probably be some governing bodies and Federal agencies that will “highly recommend” it be used to meet their requirements in the near future.
As a part of the overall NIST standards and frameworks, CSF 2.0 will surely increasingly be referenced by the other NIST standards.
There will be documents and information available that compares NST CSF 2.0 to other frameworks, such as ISO 27001, and how it compares to other standards such as HIPAA, SOC2, NERC-CIP, GDPR, FISMA, and COSO.
ivision Can Help Implement.
ivision has the consulting and security expertise to help you implement NIST 2.0 or other cybersecurity frameworks as appropriate to your company. We look forward to leveraging our decades of experience to help strengthen your organization’s security.
Note: Figures and inspiration from multiple NIST documents and pages.
