NIST CSF 2.0: The next generation! 

Written By Matt Gordon-Smith

Continuing our blog series on the NIST Cybersecurity Framework (CSF), we’re going to look at what’s new in the forthcoming version 2.0 of the CSF. The NIST CSF is a living document, which must continue to reflect the ever-changing cybersecurity landscape. First published as v1.0 in 2014 and then updated with v1.1 in 2018, the decision has been made to provide a new major release to reflect the most significant update since its first publication. 

The process for updating the framework started in early 2022 and has been through many workshops with stakeholders. At the time of writing, the CSF v2.0 is not yet published but NIST has now released the final draft for feedback and will not release another one before publication, so we can be reasonably confident that the current draft is close to the final version. 

What’s new in v2.0 of the NIST CSF? 

 At a high-level, NIST has acknowledged that this framework is now used far beyond its original intended audience of US organisations managing critical infrastructure and adopted the commonly used “Cybersecurity Framework” as the official title of the document, rather than the former “Framework for Improving Critical Infrastructure Cybersecurity”. 

The new version also provides much more guidance and examples on the practical approach to implementing the framework using profiles to align to regulatory requirements, set cybersecurity goals, identify cybersecurity gaps, create implementation roadmaps, and communicate cybersecurity requirements to stakeholders, including suppliers. 

The importance of Cybersecurity Governance 

Those familiar with the current NIST CSF will know that the document is split into five functions, which group the control categories into similar outcomes: Identify, Protect, Detect, Respond and Recover. The biggest change in v2.0 is the addition of a sixth function, sitting right at the start of the list: “Govern”. 

The new Govern function contains categories that predominantly fell into the Identify function of the previous version and augments them with controls from elsewhere in the framework. Important elements such as Organisational Context, Risk Management, Strategy and Supply Chain Security are now all contained within the new Govern function. Alongside these are the categories of Roles, Responsibilities & Authorities; Policies, Processes and Procedures; and Oversight. 

This new function of the NIST CSF gives it a much closer alignment to ISO 27001, which defines similar requirements for implementing and operating an Information Security Management System (ISMS) and is the basis on which organisations can be certified to this international standard. However, it can be quite tempting for those implementing security controls to overlook these elements and rush straight to the Annex of ISO 27001, and the detailed implementation guidance of ISO 27002, to implement only the technical controls, without the necessary governance that sits around it. 

Hopefully, this change will encourage and guide those using NIST CSF v2.0 for their own cybersecurity controls to focus on a balanced, risk-based approach, which aligns both to countering the threats faced by their own organisation as well as aligning to business priorities and company strategy, so that security does not become an inhibitor to progress. 

Other changes in v2.0 

As well as the new Govern function, there are many other changes throughout the framework, including: 

  • A greatly expanded category of Supply Chain Risk Management, as part of the new Govern function, gives far greater detail on the risks posed by third parties, and acknowledges what a significant concern this is for any organisation.  

  • A new section on improvements, within the Identify category, consolidates several other references to improvements from the Protect, Detect, Respond and Recover functions, and reflects the importance of measuring the effectiveness of controls, testing, and identifying lessons learned. 

  • Security awareness and training has been simplified and consolidated, to focus on the importance of tailored training required for any specialised roles in the organisation, rather than focusing only on privileged users, third-parties, executives and physical security personnel. 

  • Vulnerability Management is now covered by Risk Assessment in the Identify function and by Platform Security in the Protect function. This consolidates several different references to vulnerability management in v1.1 of the framework and more closely links it to the management of risks and technology, rather than as a concept of its own. 

  • The Response Function now has a specific category called “incident management” which is a far clearer term, and many elements of other categories have been consolidated into here. Combined with the updated categories of Incident Analysis and Incident Response, Reporting and Communication, this aligns well with incident management processes in many security operations centres. 

  • The Recover Function has received a much-needed update and expansion to consider the critical elements of the execution of recovery plans. 

In future posts, we will look more closely at each function of the new NIST CSF v2.0 to discuss how these changes might practically affect the implementation and operation of the framework. 

To view the full draft, please click here

Matt Gordon-Smith
Previous

NIST CSF 2.0: Running for Governor
Next

The NIST Cybersecurity Framework: Defending the Digital Frontier and Beyond