NIST CSF 2.0 Update: Everything You Need to Know

Security leaders have long relied on the structured set of guidelines and best practices provided in the NIST Cybersecurity Framework (NIST CSF) to shape their organizations’ cybersecurity programs and maintain a robust security posture. The framework enables practitioners to reduce cybersecurity complexity and speedily implement effective practices to reduce the organization’s exposure to attack by helping them understand the following questions:

1. Where do we get started?
2. What outcomes should we aim for?
3. How do we understand and improve our cybersecurity posture?

The NIST CSF, first released in February 2014 (CSF 1.0) and updated in 2018 (CSF 1.1), originally aimed to help critical infrastructure organizations manage and reduce cybersecurity risk. The latest version – NIST CSF 2.0 – was released in February 2024. It updates and improves CSF 1.1 to provide organizations with an even more robust framework for cybersecurity risk management. In September 2023, BreachLock published a useful guide about its proposed changes. This blog builds on it and provides more details and clarification on which proposed changes have been implemented in CSF 2.0.

NIST CSF 2.0: Summary of Changes

The CSF 2.0 has an expanded scope compared to its predecessors, so more organizations can benefit from its guidance and recommendations

The Framework Core, which is the nucleus of the CSF 2.0 (and indeed of CSF 1.1), is a taxonomy of activities to help organizations achieve high-level cybersecurity outcomes to manage their cybersecurity risks.

The Framework Core for CSF 1.1 included five core functions:

1. IDENTIFY (ID)
2. PROTECT (PR)
3. DETECT (DE)
4. RESPOND (RE)
5. RECOVER (RC)

The Core Framework structure for CSF 2.0 includes a sixth core function: GOVERN (GV). This function organizes governance-related cybersecurity activities at a high level and emphasizes that cybersecurity is a major source of enterprise risk.

The CSF 2.0 also includes changes to the categories under each function. For example, the Supply Chain Risk Management category was part of the IDENTIFY function in CSF 1.1 but is part of the GOVERN function in CSF 2.0. Accordingly, its category identifier has changed from ID.SC to GV.SC.

CSF 2.0 also includes some updates to the categories in the other functions. Some of the new categories that are now included in CSF 2.0 include:

1. Platform Security,Technology Infrastructure Reliance under PROTECT
2. Adverse Event Analysis under DETECT
3. Incident Management Under RESPOND
4. Incident Recovery Plan Execution under RECOVER

Finally, NIST has created multiple online resources to help organizations understand, adopt, and use CSF 2.0 easily and more effectively.

NIST CSF 2.0: Going Beyond Critical Infrastructure

Both CSF 1.0 and CSF 1.1. were known as the Framework for Improving Critical Infrastructure Cybersecurity because they were mainly designed to help critical infrastructure organizations address their cybersecurity risks.

In contrast, the CSF 2.0 is designed to help all organizations manage cybersecurity risk. Thus, organizations of any type, in any sector, and at any level of cybersecurity sophistication can use its guidance, taxonomy, and resources to understand and mitigate their risks and achieve their cybersecurity goals.

NIST CSF 2.0: The New GOVERN Function

The GOVERN function in NIST CSF 2.0 encompasses activities to help organizations establish, communicate, and monitor their cybersecurity risk management strategy, expectations, and policy. By performing these activities, they can make and implement more informed decisions about their cybersecurity strategy and better incorporate this strategy into the broader enterprise risk management (ERM) strategy.

The function includes six categories of outcomes to help organizations improve cybersecurity governance:

1. Organizational Context (GV.OC): This addresses the organization’s understanding of the circumstances around its cybersecurity risk management decisions, including the company mission, stakeholders, legal and regulatory requirements, critical objectives, outcomes, and capabilities.
2. Risk management strategy: (GV.RM): This is concerned with operational risk decisions supported by the organization’s priorities, constraints, risk tolerance and appetite statements, and assumptions.
3. Roles, Responsibilities, and Authorities (GV.RR): This relates to whether the organization has implemented cybersecurity roles and responsibilities to foster accountability and enable continuous improvement.
4. Policy (GV.PO): This refers to the establishment and enforcement of a cybersecurity policy.
5. Oversight (GV.OV): This assesses whether cybersecurity risk management strategies inform the ERM strategy.
6. Cybersecurity Supply Chain Risk Management (GV.SC): This is about stakeholders identifying, establishing, managing, monitoring, and improving cyber supply chain risk management processes.

The outcomes of the activities in the GOVERN function are sector-, country-, and technology-neutral, so any organization can pursue them per their unique risks, technologies, and business mission.

New Resources Available with NIST CSF 2.0

The NIST has created multiple online resources to simplify the adoption and implementation of the CSF 2.0. These resources are of three types:

Informative references

They point to sources of guidance to help organizations achieve the outcomes in the CSF 2.0. For example, the CSF 2.0 Reference Tool allows users to explore the CSF 2.0 Core and export portions using key search terms in both human- and machine-readable formats.

The Reference Tool and other informative references can be downloaded from the NIST site.¹

Implementation examples

These are illustrations of concise, action-oriented steps to achieve each outcome.

For example, the implementation example for:

Function: GOVERN

Category: GV.OC

Subcategory: GV.OC-01

is “Share the organization’s mission (e.g., through vision and mission statements, marketing, and service strategies) to provide a basis for identifying risks that may impede that mission”.

The implementation examples for CSF 2.0 (Excel format) can be downloaded from within the CSF 2.0 document.²

Quick start guides (QSGs)

These brief documents include actionable guidance to help organizations implement the CSF 2.0 and improve cybersecurity risk management. All the QSGs are available for download on NIST’s site.³

Other Key Improvements in NIST CSF 2.0

Like the CSF 1.1, the CSF 2.0 includes Framework Implementation Tiers (“Tiers”) that provide context on i) how organizations view cybersecurity risk and ii) their risk management processes. The Tier names are the same in both versions:

Tier 1: Partial

Tier 2: Risk-informed

Tier 3: Repeatable

Tier 4: Adaptive

However, unlike the CSF 1.1, the CSF 2.0 enables organizations to analyze the rigor of both their cybersecurity risk management and risk governance practices and implement appropriate practices to progress from Tier 1 to Tier 4 on both aspects.

Further, the CSF 2.0 provides useful guidance to improve risk management communications between executives, managers, and cybersecurity practitioners. Also, its GOVERN function supports discussions at the executive level around risk management strategies, roles, responsibilities, policies, and oversight.

Finally, NIST provides some resources that describe the relationship between cybersecurity risk management and ERM, and others that provide guidance for integrating cybersecurity risk management with individual ICT risk management programs.

Conclusion

The CSF 2.0 is a very useful framework for any organization looking for effective, actionable guidance around cybersecurity risk management and governance. It provides numerous resources that enable users to easily implement the framework’s suggestions and recommendations, and thus effectively deal with the cybersecurity threats affecting their organization.

Need Help Understanding and Implementing CSF 2.0? Talk to BreachLock

Need clarification about the structure of the CSF 2.0? Require support to parse its guidelines and leverage it effectively in your organization? Contact BreachLock for a free consultation.

About BreachLock

BreachLock is a global leader in Continuous Attack Surface Discovery and Penetration Testing. Continuously discover, prioritize, and mitigate exposures with evidence-backed Attack Surface Management, Penetration Testing and Red Teaming.

Elevate your defense strategy with an attacker’s view that goes beyond common vulnerabilities and exposures. Each risk we uncover is backed by validated evidence. We test your entire attack surface and help you mitigate your next cyber breach before it occurs.

Know your risk. Contact BreachLock today!

References

1. CSF 2.0 Informative References
2. The NIST Cybersecurity Framework (CSF) 2.0
3. Navigating NIST’s CSF 2.0 Quick Start Guides