Everything You Need To Know About The Nist Cybersecurity Framework 2.0

This week NIST released the highly anticipated update to the Cybersecurity Framework (CSF).  Here’s everything you need to know about v2.0.  

The CSF has become an extremely popular and practical framework for organizations trying to get a handle on their cybersecurity maturity.  Initially released in 2013, the CSF was a response to President Obama’s Executive Order tasking NIST to work with the private sector to build a standards framework based on a consensus of industry best practices. CSF 2.0 builds on that already successful document with several improvements. First things first: here’s the link to CSF 2.0.

The update process is fairly lengthy, beginning in 2022 with reviews and public comments, so anyone who has been following along won’t be surprised by the changes.  All of the significant updates have been discussed publicly through various working groups and requests for comment.  While slow, this process allows for input and consensus from a wider range of stakeholders to build a document that is more useful to a larger audience.  In particular, this updated version will be more useful for smaller organizations who have the same security concerns as enterprises, but fewer resources and more challenges prioritizing security goals.

The first significant change is an acceptance of the commonly accepted name.  Technically, version 1.1 was the “Framework for Improving Critical Infrastructure Cybersecurity,” but that doesn’t exactly roll off the tongue.  With 2.0, it is now officially the NIST Cybersecurity Framework.  

Secondly, the updates were specifically designed to make the framework more accessible to organizations of all sizes and maturity. This is largely accomplished by introducing tiers and profiles.  Tiers are basically different levels of intended maturity around each control’s implementation, such as Partial, Risk-informed, Repeatable, and Adaptive.  This allows organizations to use more nuance internally when discussing the level of implementation for each control.  Profiles are designed to tailor the CSF to each organization’s unique circumstances.  This is a best practice that many companies have used with the CSF for over a decade, but now it’s more formally documented in the framework.  NIST also released a Profile Template to assist organizations in outlining their Current and Target priorities along with in-depth examples.

A third significant improvement is the introduction of governance as a category of controls.  Previously, the CSF separated controls into Identify (ID), Protect (PR), Detect (DE), Respond (RS), and Recover (RC).  Version 2.0 adds a new category to the previous list called Govern (GV). This added new controls, such as a sub-category for Oversight, and restructured several of the controls previously found in Identify and other categories.  This is intended to allow increased focus on policy-based risk management controls that often fall into the GRC category for larger organizations.

Finally, NIST has also released two different reference tools that make it easy to search the framework and identify relevant controls.  The first is the user-friendly CSF 2.0 Reference Tool that can be searched online or exported in JSON or CSV for consumption by other tooling. Additionally, the Cybersecurity and Privacy Reference Tool provides more in-depth searches of control terms across other NIST documents and resources.  

If your organization hasn’t used the CSF before and doesn’t have a structured framework for improving its cybersecurity posture, this is a good time to check it out.  Contact Secure Ideas if we can help figure out how to move forward with the CSF or any other security framework.