NIST Cybersecurity Framework 2.0 – Paving the Future of Information Security

In 2023, the amount of information the world creates, captures, and consumes is almost 10X higher than it was a decade ago. When you consider the evolution of technology, critical infrastructure, and the way we use them over the last decade, it is inherent that the way we protect and secure them must also evolve to keep up with the ever-changing threat landscape.

On August 8, 2023, the National Institute of Standards and Technology (NIST) released a draft of the newly updated NIST Cybersecurity Framework, NIST CSF 2.0 – almost 10 years after the release of the original NIST CSF 1.0 in February of 2014. Similar to NIST CSF 1.1 released in 2018, the updates reflect the suggestions and feedback that NIST receives from stakeholders that use the framework to shape their information security strategies. NIST will be accepting feedback on the draft until November 4, 2023, and the finalized version will be released in early 2024.

In this blog, we will explore the changes made in NIST CSF 2.0, what these changes mean for security leaders, and who these changes impact most.

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework is a set of guidelines, best practices, and standards intended to help organizations maintain and improve their security posture. Information security leaders leverage the framework globally as a structured approach to assessing and strengthening their cybersecurity controls and policies to protect against cyber threats and prevent costly data breaches.

The framework is an intentionally flexible and adaptable approach to helping organizations adjust their cybersecurity strategies based on their specific needs, level of risk, and industry requirements. Because of its flexibility, NIST CSF is widely used by businesses, government agencies, and organizations of all sizes.

NIST CSF 2.0: Key Changes

The key changes made to the NIST framework can be categorized in terms of:

1. Its scope and name change;
2. The addition of a new core function; and
3. The addition of framework implementation guidance.

Why NIST Altered the Name and Scope of its Framework

The scope of NIST Cybersecurity Framework 2.0 has expanded to help industries beyond those with critical infrastructure that it used to cater to exclusively, hence the name being changed from “Framework for Improving Critical Infrastructure Cybersecurity” to the more inclusive “The Cybersecurity Framework.” The reasoning behind the name change is simple – although the framework was originally developed for sectors like banking, healthcare, and energy industries, it was widely adopted and implemented by other industries, including schools, small businesses, and even foreign governments. It is important to note that the scope has also changed in terms of the inclusion of implementation guidance, which we will explore more in a later section.

NIST CSF 2.0’s Sixth Core Function – Governance

Up until August of 2023, the NIST Cybersecurity Framework only consisted of 5 core functions:

1. Identify: This function helps organizations determine their current cybersecurity risk
2. Protect: This function helps organizations safeguard, prevent, and reduce their cybersecurity risk with controls, policies, and awareness training.
3. Detect: This function helps guide organizations through identifying and detecting cybersecurity events and incidents promptly by implementing continuous monitoring, detection, and response mechanisms.
4. Respond: This function helps organizations create and execute an effective response plan in the event of a cybersecurity incident to reduce the financial and reputational impact of the incident by mitigating it as quickly as possible.
5. Recover: This function guides organizations in recovering from cybersecurity incidents and restoring normal business operations as quickly as possible. The ‘recover’ function not only provides guidance for restoring data, systems, and services, but it also takes lessons learned for future improvements into consideration.

In the newly released draft of the NIST Cybersecurity Framework 2.0, an entirely new function was added – Governance, which was formerly included as part of the Identify function. The Governance function, with respect to the NIST Cybersecurity Framework, is intended to help organizations make and execute their own decisions internally to align with their cybersecurity strategy. Since cybersecurity has proven to be a major risk to enterprises, both financially, legally, and beyond, it emphasizes the importance of senior leadership considering these risks strategically.

The Significance of Governance in NIST CSF

The addition of the “Govern” function in the NIST Cybersecurity Framework (CSF) signifies a fundamental shift in how organizations approach cybersecurity. This new core function emphasizes the crucial role of governance, organizational context, risk management strategy, and the allocation of roles and responsibilities within cybersecurity.

By including governance, NIST is acknowledging that cybersecurity is not solely a technical matter but an organization-wide concern that needs to be approached holistically with explicit attention from senior leadership that it hasn’t historically received – especially in enterprises. The inclusion underscores that effective cybersecurity governance is essential for managing and reducing cybersecurity risks, aligning cybersecurity efforts with overall business goals, and fostering security within an organization. With the “Govern” function, CSF 2.0 recognizes that cybersecurity is a strategic priority and a critical component of an organization’s risk management framework, ensuring that cybersecurity is integrated into all aspects of an organization’s operations. The categories covered within the ‘Govern’ function are exactly as follows:

1. Organizational Context (GV.OC): The circumstances – mission, stakeholder expectations, and legal, regulatory, and contractual requirements – surrounding the organization’s cybersecurity risk management decisions are understood (formerly ID.BE)
2. Risk Management Strategy (GV.RM): The organization’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions (formerly ID.RM)
3. Cybersecurity Supply Chain Risk Management (GV.SC): Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders (formerly ID.SC)
4. Roles, Responsibilities, and Authorities (GV.RR): Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated (formerly ID.GV-02)
5. Policies, Processes, and Procedures (GV.PO): Organizational cybersecurity policies, processes, and procedures are established, communicated, and enforced (formerly ID.GV-01)
6. Oversight (GV.OV): Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy

NIST’s Improved and Expanded Guidance on CSF Implementation

Per the request of the cybersecurity community’s suggestions to improve the CSF, the updated draft includes more detailed and comprehensive guidance on the implementation of each core function of the CSF. More specifically, the draft includes examples within each function’s subcategories to demonstrate how each function should be applied in relation to the specific use cases. For example, in the sixth subcategory of the ‘recover’ function, RC.RP-06, the implementation example given here reads, “Prepare an after-action report that documents the incident itself, the response and recovery actions taken, and lessons learned.” Similar examples can be found within each subcategory to make it simpler and clearer for security leaders to leverage the framework’s guidance moving forward.

NIST also included additional guidance on the creation of profiles to help organizations tailor the CSF to fit their specific needs based on risk, maturity, industry, and other factors. Profiles help assess the current and desired state of cybersecurity in an organization, identify gaps, and prioritize mitigation efforts based on organization-specific factors.

Overall, the changes in NIST CSF 2.0 reflect a broader recognition that cybersecurity is everyone’s concern, regardless of department, industry, or organization size. Moreover, the improved implementation guidance and the flexibility to create tailored profiles offer a practical approach to addressing real-world challenges to empower organizations to protect their digital assets effectively.

About BreachLock

BreachLock is a global leader in PTaaS and penetration testing services. BreachLock offers automated, AI-powered, and human-delivered solutions in one integrated platform based on a standardized built-in framework that enables consistent and regular benchmarks of attack tactics, techniques, and procedures (TTPs), security controls, and processes. By creating a standardized framework, BreachLock can deliver enhanced predictability, consistency, and accurate results in real-time, every time.