NIST CSF 2.0: Key Takeaways and Implementation Strategies

The next major update to the influential NIST Cybersecurity Framework 2.0 (CSF 2.0) is just around the corner. The development and publication of NIST CSF 2.0 re-affirms the US Federal Government’s commitment to altering the narrative that the private sector innovates in cybersecurity and the public sector adopts. Originally published in 2014 with a minor version bump in 2018 (1.0 to 1.1). 2024 will mark the release of CSF 2.0. This accomplishes 3 releases in a 10 year span with a significant increase in the breadth of the audience; going from critical infrastructure only to all organizations that utilize information technology (read: all organizations).

In this post, we’ll delve into the key changes of CSF 2.0, including the integration of the ‘Govern’ function, revised implementation guidance, and its synergy with other NIST frameworks. We’ll explore how these changes benefit organizations and provide a roadmap for implementing the new framework effectively. With CSF 2.0, NIST not only addresses the complex cybersecurity landscape but also ensures that the framework is adaptable and effective for diverse cybersecurity needs.

Join us as we unpack the CSF 2.0, offering insights, practical advice, and answers to some of your most pressing questions. Whether you’re a cybersecurity veteran or new to the field, this guide will equip you with the knowledge to effectively navigate and implement the updated framework.

What’s changing in CSF 2.0?

1. Broadened Scope
   • The framework’s scope has been updated to include all organizations globally, not just those in critical infrastructure
   • The original CSF was development under the directive of Executive Order 13636, “Improving Critical Infrastructure Cybersecurity” which focused primarily on critical infrastructure

2. New Function – Govern
   • Previously there were 5 functions of the CSF; Identify, Protect, Detect, Respond and Recover
   • The addition of the sixth function Govern is aimed at integrating the CSF with the holistic organization rather than cybersecurity being a silo

3. Implementation Guidance
   • Implementation examples have been added to provide assistance in achieving the framework
   • Framework Profiles have been improved to help organizations align their cybersecurity initiatives with their business objectives

4. Integration with Other Frameworks
   • CSF 2.0 creates connections between the web of other related frameworks
   • These frameworks include the Privacy Framework, the Secure Software Development Framework (SSDF), Cybersecurity Supply Chain Risk Management Practices (NIST SP 800-161) and the Artificial Intelligence Risk Management Framework

5. Cybersecurity Supply Chain Risk Management
   • Cybersecurity supply chain risk management was previously mixed into the Identify and Protect functions of the CSF; now it is highlighted with its own sub-category under the Govern function
   • This is an ongoing trend for all NIST publications that deal with cybersecurity; the Risk Management Framework (NIST 800-37) and the Control Catalog (NIST 800-53) both saw software supply chain security promoted to dedicated sections in the latest revisions of each

What are the benefits?

NIST CSF 2.0 compliance is only mandatory for federal agencies; however, if your company does business with the US government, or plans on it, CSF compliance is a clear way to demonstrate alignment with the priorities of these agencies. This was true of the original CSF and will continue to be so when the updated 2.0 framework is released. In addition to this clear business benefit for organizations, all of the changes listed in the section above were aimed at improving the CSF which means that the benefits of the latest release of the CSF will look very similar to the changes above. Here is a concise summarization:

The NIST Cybersecurity Framework 2.0 offers several enhancements over version 1.1, making it a more versatile and comprehensive tool for managing cybersecurity risks. First, it is more general, meaning it applies to more than just critical infrastructure which was the target audience of the original CSF. Second, it has embedded itself into the network of NIST frameworks that constitute NIST’s holistic vision for cybersecurity and privacy. Third, a sixth function was added to tie the CSF to the operational side of the organization instead of just the technical function. Fourth, implementation examples were added to make it easier to ground the framework’s theoretical foundation in real-world examples. Finally, the Framework Profiles were updated to make it easier to tie technical requirements to business objectives. These updates reflect the evolving cybersecurity landscape and aim to make CSF 2.0 adaptable and effective for a broader range of cybersecurity needs.

How do I implement the new framework?

1. Research: Digest and internalize the core functions – Identify, Protect, Detect, Respond, Recover, and Govern.

2. Gap Analysis: Assess your current cybersecurity practices against the framework to identify gaps.

3. Prioritize: Based on your assessment, prioritize areas that need improvement.

4. Create a Target Profile: Develop a Framework Profile that aligns with your business objectives and risk management strategy.

5. Implement Action Plan: Develop and execute an action plan to reach your Target Profile.

6. Monitor and Review: Regularly review and update your cybersecurity practices to match the evolving cyber landscape and your organization’s changing needs.

7. Communicate: Ensure effective communication across all levels of your organization regarding cybersecurity policies, risks, and practices.

Getting Started

Since CSF 2.0 is still currently in draft, the recommended way to get started is to do research on the ways that the specific changes will impact your organization and determine if achieving CSF 2.0 compliance is a priority or not for the organization.

If your organization isn’t already CSF 1.1 compliant then this is a good first step in order to prepare for the release of 2.0. This will reduce the lift needed when 2.0 is finalized. NIST has a getting started guide that can be found on their website.

Frequently asked questions

What is NIST CSF? 

The NIST Cybersecurity Framework (CSF) is a set of voluntary standards, and best practices to help organizations manage and reduce cybersecurity risk. It provides a flexible and cost-effective approach for ensuring an organization is secure, particularly critical for industries vital to national and economic security. The framework is structured around five core functions – Identify, Protect, Detect, Respond, Recover, and with the latest update, Govern – providing a strategic view of an organization’s approach to managing cybersecurity risk.

What is the current version of NIST CSF?

The current version of the NIST Cybersecurity Framework (CSF) is 1.1, released in April 2018. However, a new version, CSF 2.0, is in the process of being finalized and is expected to be published in early 2024.

When was NIST CSF 1.0 released?

The NIST Cybersecurity Framework 1.0 was released in February 2014. It was followed by the release of NIST CSF 1.1 in April 2018.

When was the CSF 2.0 draft released? 

The public draft of CSF 2.0 was published on August 8, 2023. But was preceded by a few iterations that solicited feedback from the community on how to best improve on the original CSF from 2014 and the 1.1 revision from 2018.

The CSF 2.0 concept paper was released January 2023. It was titled, “Cybersecurity Framework 2.0 Concept Paper: Potential Significant Updates to the Cybersecurity Framework”, it laid the groundwork for the upcoming changes and updates to the framework.

A discussion draft of CSF 2.0 was then released in April 2023. This draft included potential Functions, Categories, and Subcategories (also called cybersecurity outcomes) of the CSF 2.0 Core. It aimed to increase transparency in the development process and to encourage discussion and feedback for further development.
As with any document this information is complete up to the publish date but will become out of date over time, the most up-to-date information can be found on the official NIST CSF website.