NIST Cybersecurity Framework 2.0 – What’s New?

In the rapidly evolving world of cybersecurity, staying ahead of emerging threats requires vigilance and a framework that evolves with the times. The recent unveiling of the NIST Cybersecurity Framework 2.0 is a pivotal shift in how organizations approach cybersecurity governance, risk management, and resilience. This update represents a holistic reimagining of cybersecurity practices, emphasizing governance integration across all facets of cybersecurity. It’s a significant transformation that recognizes the increasing complexity of cybersecurity and the modern threat landscape.

This revised Framework offers clarity and strategic direction for organizations grappling with the challenges of securing their digital frontiers. For those already familiar with our discussions on the [earlier iterations] of the Cybersecurity Framework, this latest evolution presents an opportunity to deepen your understanding and refine your approach to cybersecurity. Dive into the heart of these changes with us, as we explore how the NIST Cybersecurity Framework 2.0 can fortify your organization’s digital defenses, making it more agile, responsive, and resilient against the cyber threats of tomorrow. Discover the significance of these updates and how they build upon the foundations laid by their predecessors in our series of insightful blogs on the NIST Cybersecurity Framework before this update.

Govern function

By far, the most visible and impactful change in the NIST Cybersecurity Framework 2.0 is the creation of a sixth function, intended to tie the five original functions together. The Govern function builds on the original Govern category in CSF1.0. The new model highlights the importance of governance as the security function that ties the rest together rather than being practiced in parallel.

The Govern function is designed to inform organizations how to prioritize and achieve the measures called for by the other five functions.  By developing the necessary context around the organization’s missions, stakeholders, and regulatory and legal requirements, the governance function enables effective cybersecurity guided by business risk management.  There are 6 Categories to the Govern Function:

Organizational Context:

Organizational Context is crucial for comprehensive cybersecurity risk management. It involves understanding an organization’s unique circumstances, including its mission, stakeholder expectations, dependencies, and the legal, regulatory, and contractual requirements it faces. This knowledge forms the foundation for making informed cybersecurity risk management decisions, ensuring that strategies and measures are aligned with the organization’s objectives and compliance obligations.

Prepare Risk Management Strategy

This category focuses on establishing an organization’s cybersecurity priorities, constraints, risk tolerance, and assumptions. It emphasizes the importance of communication and utilization of these elements in operational risk decisions, ensuring that cybersecurity efforts are aligned with the organization’s strategic objectives and risk appetite.

Assign Roles, Responsibilities, and Authorities

‘Roles, Responsibilities, and Authorities’ is about establishing clear cybersecurity roles, responsibilities, and authority levels within an organization. This ensures accountability, aids in performance assessment, and fosters a culture of continuous improvement in cybersecurity practices, aligning them with the organization’s strategic objectives and risk management strategy.

Prepare Policy

The ‘Policy’ category focuses on the creation, communication, and enforcement of organizational cybersecurity policies. It involves setting standards based on the organization’s context and strategic direction to manage cybersecurity risks effectively. These policies guide the behavior of individuals and the operation of systems within the organization, ensuring a secure and resilient infrastructure.

Ensure Oversight

‘Oversight’ emphasizes the importance of monitoring and utilizing the outcomes from organization-wide cybersecurity risk management activities. It aims to inform, improve, and adjust the risk management strategy based on performance results, ensuring that cybersecurity efforts are aligned with organizational objectives and adapt to evolving cyber threats and vulnerabilities.

Manage Supply Chain Risk

The “Cybersecurity Supply Chain Risk Management” category focuses on establishing processes to identify, assess, and mitigate risks associated with the supply chain. It ensures the security of the supply network, from procurement to delivery, by integrating cybersecurity practices into supplier relationships and monitoring their compliance with security requirements.

Resources

As part of the Publication of CSF2.0, NIST has worked on developing additional resources to support the use of the framework in different use cases and for different organizations.

The original set of informative references that were included in each subcategory of the CSF1.1 are now augmented by a set of implementation examples describing the key components involved in each.

NIST also developed a series of [quick start guides] designed to help organizations implement the cybersecurity framework in a standardized way.  These resources are not prescriptive. and organizations remain free to implement and customize the framework as they see fit.  However, they’re an incredibly valuable resource for organizations just starting to use the cybersecurity framework and unsure how best to do so.  The current guides include guidance on establishing and using the framework profiles and applying the framework tiers, as well as specialized use case advice for small businesses, supply chains, and enterprise risk management.

Category Changes:

As part of the update, there were also several changes to specific categories, consolidating, expanding, and rearranging them to better describe and categorize modern security practices.  There are many of these changes overall that you may want to familiarize yourself with if you had previously implemented CSF1.1. We’ll highlight some of the most significant and impactful ones here:

One of the largest adjustments was reassigning Improvement to the Identify function. Previously, the Framework had multiple Improvement Categories allocated to the Detect, Respond, and Recover Functions. This modification underscores the importance of a holistic approach in advancing cybersecurity across the entire domain. The framework promotes an integrated perspective on cybersecurity by situating improvement initiatives within the Identify function. It embodies a proactive stance towards cybersecurity, emphasizing the importance of regular assessment and enhancement of security practices to adapt to the dynamic nature of cyber threats.

Another significant change is expanding the supply chain risk management category, reflecting the growing recognition of supply chains as critical vectors for cyber threats. This enhancement focuses on establishing comprehensive risk management processes that involve all organizational stakeholders. It includes developing a cybersecurity supply chain risk management program, defining roles and responsibilities for suppliers, customers, and partners, and integrating these processes into the broader cybersecurity and enterprise risk management frameworks. Additionally, it emphasizes the importance of understanding, prioritizing, and monitoring the cybersecurity risks associated with suppliers and third parties throughout the lifecycle of the relationship, ensuring a more resilient supply chain against cyber threats.

A third significant change is the consolidation of several different categories related to Identity Access Management into a single category: Identity Management, Authentication, and Access Control. This pivotal enhancement underscores the integral role of identity and access management in cybersecurity. By merging these critical areas, the framework promotes a more cohesive strategy for safeguarding digital identities and controlling access to resources. This consolidation aims to simplify the implementation of robust authentication mechanisms and protective technologies, ensuring that only authorized users can access sensitive information and systems, thereby strengthening the organization’s overall security posture.

Conclusion

The NIST Cybersecurity Framework 2.0 represents a significant leap forward in how organizations approach and manage cybersecurity risks, governance, and resilience. Its comprehensive restructuring, mainly through the addition of the ‘Govern’ function, caters to the pressing need for a more integrated approach to cybersecurity in an era marked by sophisticated cyber threats and complex digital ecosystems. Understanding and implementing the updated Framework can be daunting as organizations navigate this new landscape.

Atlantic Data Security stands ready to assist your organization in harnessing the full potential of the NIST Cybersecurity Framework 2.0. Our team of experts can guide you through the nuances of the updated Framework, helping you tailor its application to your specific needs and challenges. Whether enhancing your cybersecurity governance, refining risk management strategies, or strengthening your supply chain security, ADS has the expertise to make your transition to CSF 2.0 seamless and practical.

Embrace the future of cybersecurity with confidence. [Speak with an ADS advisor today], and let us help you fortify your digital defenses, ensuring your organization remains agile, secure, and resilient in the face of evolving cyber threats.