Six Months of NIST CSF v2.0

Six Months of NIST CSF v2.0

How the Expanded Framework is Changing the Game for Cyber Security Across the Globe

The National Institute of Standards and Technology (NIST) published version 2.0 of their Cybersecurity Framework (CSF) in February this year, marking its first significant update since its initial release in 2014. Back then, the Framework was built and designed with the protection of Critical Infrastructure in mind, and covered five core functions: Identify, Protect, Detect, Respond, and Recover. After significant input from the international cyber security community, NIST’s update has been further developed to broaden the Framework’s applicability and make it easier for organisations of all shapes and sizes to implement- not just critical infrastructure.

To make the Framework more intuitive, and to better address current and future cybersecurity challenges and improvements, NIST have restructured their approach, adding a sixth core function, merging, renaming and removing some Categories and Subcategories (bringing the total number of controls to 106 from 108), and providing implementation examples to make the Framework more streamlined and easier to navigate.

Whether you’re a small business or a global enterprise, NIST’s streamlined and restructured framework makes cyber security more accessible, scalable and adoptable than ever.

NIST's Cybersecurity Framework 2.0: A Leap Forward for All OrganisationsThe 'Govern' Function: Strengthening Cyber Security from the Top Down

The expanded approach taken by NIST in this update is evidence of how dynamic the cyber security landscape is, and brings to the fore the critical enhancements that address the latest cyber threats, including the pervasive issues of ransomware attacks and supply chain vulnerabilities.

Version 2.0 incorporates feedback and input from a diverse group of stakeholders, including government agencies, industry partners, cybersecurity professionals, and academics. This feedback played a crucial role in identifying areas for improvement and refinement of the Framework to better meet the needs of all sectors, such as considering privacy requirements, and applying a cyber resilience lens to the Framework. The enhancements are designed to broaden its applicability, making sophisticated cyber security practices accessible to a wider range of organisations beyond those scoped by its predecessor. This inclusive approach ensures that businesses, regardless of their size or industry, can leverage the Framework to bolster their defences against the emerging threats of the digital age. The extended scope and incorporation of new strategic insights in version 2.0 underscore its role not just as a guide, but as a comprehensive resource for organisations aiming to navigate the complexities of cyber security in today’s interconnected world.

The 'Govern' Function: Strengthening Cyber Security from the Top Down

Perhaps the most notable inclusion in this revision is the new ‘Govern’ function, a transformative enhancement that focuses on cyber security governance (for those of you who are new to the cyber security game, governance refers to how organisations make and carry out informed and strategic cyber security decisions). The Framework’s governance function serves to validate what cyber security experts have said all along; that good cyber governance is crucial for ensuring effective cyber security practices.

It also emphasises the significance of integrating cyber security risk management with other critical organisational risks, such as financial and reputational risks. The Govern function aims to ensure the long-term effectiveness of the Framework, by ensuring the organisational context is understood, oversight mechanisms and risk management strategies are defined, and clear cyber roles and responsibilities are established.

There are six new Categories introduced under the Govern function to support sustainable implementation:

  • Organisational Context (GV.OC): focuses on how organisations make decisions about risk management, considering their organisational aims, risks, and how it plans to deal with them
  • Risk Management Strategy (GV.RM): focuses on an organisation’s decision-making processes regarding risk, factoring in its risk tolerance and strategic assumptions
  • Cybersecurity Supply Chain Risk Management (GV.SC): a new consideration within the NIST CSF, to ensure organisations and their partners manage supply chains effectively. It’s about knowing the risks in and to the supply chain, setting up rules to manage those risks, and continuously checking and improving mitigating controls and processes
  • Roles, Responsibilities and Authorities (GV.RR): identifying the responsible bodies for cyber security responsibilities within an organisation, promoting accountability and continuous enhancement of cyber security practices
  • Policy (GV.PO): setting the ‘rules’ for cyber security within an organisation and ensuring they are followed, including actions to take to protect against cyber threats and how to respond if something goes wrong
  • Oversight (GV.OV): continuously improving and updating an organisation’s cyber risk management.

Together, these new categories aim to help organisations improve the operationalisation of their risk management and decision making, and increase the overall effectiveness of the Framework.

Additional Enhancements in NIST CSF 2.0

Like its predecessor, version 2.0 of the Framework outlines four Implementation Tiers (“Tiers”) to help organisations understand their approach to managing cyber security risk, and the effectiveness of the processes they have in place. The tiers remain consistent across both versions:

  • Tier 1: Partial
  • Tier 2: Risk-informed
  • Tier 3: Repeatable
  • Tier 4: Adaptive

What sets version v2.0 apart is its enhanced capability for organisations to assess the thoroughness of their cyber risk management processes and ability to govern these risks. This allows for a more structured progression through the implementation tiers for both risk management and governance.

Moreover, this latest edition offers valuable insights to foster better communication on risk management amongst leaders, managers, and cyber security professionals. The introduction of the Govern function and the inclusion of privacy considerations, for instance, is facilitating high-level discussions on risk management approaches, cyber roles and responsibilities being assigned, and the development of effective cyber policies, thus ensuring proper oversight of cyber security within organisations.

Why Care?

It’s essential that all organisations keep ahead of the curve, as cyber security threats become more complex and commonplace. As version 2.0 leverages insights from major cybersecurity incidents, prevalent cyber security trends, and threat intelligence, it is easier than ever to gain visibility of potential cyber threats and implement effective cyber security controls.

For many organisations implementing the Framework, cyber governance is now embedded in their business strategies, enabling broader organisational objectives, and encouraging integration of cyber security into enterprise risk management processes to ensure strategic decision-making considers cyber risks and any long-term implications.

The general consensus in the cyber community is that proactively identifying and addressing cyber security risk is no longer optional, but a necessity. With the updated Framework offering a more comprehensive, flexible, and scalable approach to cyber security, organisations are able to anticipate cybersecurity threats and efficiently and effectively respond to them. Version 2.0 has facilitated enhanced communication within organisations and amongst leadership and improved cyber resilience through continuous improvement programs built on better monitoring, management and adaptability.

So what’s the takeaway? It’s clear the new Framework offers clearer, practical guidance on how to tackle today’s most pressing cyber risks. Organisations that adopt and adapt to NIST CSF v2.0 are positioning themselves to thrive in an increasingly volatile cybersecurity landscape. As we look ahead, the continued adoption of version 2.0 will undoubtedly mark a significant leap forward in our collective cyber security resilience. If your organisation hasn’t yet taken advantage of NIST CSF v2.0, now might just be the time!

Need Help Navigating NIST CSF v2.0?

RightSec have supported organisations of all shapes and sizes with their NIST CSF journey.

If you’re looking to enhance your cybersecurity practices or need guidance on how to align with NIST CSF v2.0, we’re here to help. Whether it’s risk management, governance, or building a stronger cybersecurity posture, our expert team can provide the support you need – reach out to us today!

Want to learn more?

Find out how RightSec can help your organisation enhance their security posture with our Cyber Strategy and Consulting services.

Contact Us

Erica Barbosa - Co-Author

CYBER SECURITY ADVISOR

Tahlia Castles - Co-Author

CYBER SECURITY ADVISOR

References

https://www.nist.gov/news-events/news/2024/02/nist-releases-version-20-landmark-cybersecurity-framework

https://www.nist.gov/informative-references

https://csrc.nist.gov/News/2023/nist-releases-cybersecurity-framework-2-0-draft

https://www.cybersecuritydive.com/news/nist-draft-overhaul-cybersecurity-framework/690381/