Tom Faraday

Director, Product Management

NIST CSF 2.0: A closer look at the latest revisions to the NIST Cybersecurity Framework

Released in February 2024, the NIST Cybersecurity Framework 2.o is the latest revision in a set of procedures and guidelines developed to help organizations improve cybersecurity measures. NIST CSF 2.0 provides resources regarding practices and controls to attain positive outcomes. It was launched by the National Institute of Standards and Technology (NIST), a part of the U.S. Commerce Department.

Robust cybersecurity processes are vital for any organization. With ever-changing developments in technology and digital applications, organizations are becoming increasingly exposed to growing cyber threats, as more digital solutions are integrated across business operations. The latest enhancements to the NIST Cybersecurity Framework helps to improve IT governance and risk management through best-practice guidelines and supports communication of cybersecurity-risk to leadership.

The framework is used by federal agencies and has proven popular with organizations of all sizes across the U.S. It has also been used or adapted by international companies and governments.

This article explores:

• What the NIST Cybersecurity Framework 2.0 is
• The difference between NIST CSF 1.1 and 2.0
• The benefits of using the NIST framework

NIST Cybersecurity Framework 2.0 explained

So, what exactly is NIST CSF 2.0 used for? The framework was first published in 2014 by the National Institute of Technology. It was developed with input from research institutes, industry and government, created to standardize cybersecurity within organizations dealing with critical infrastructure. It has since been adopted by organizations across a range of industries.

Popular because of its flexibility, organizations can customize and use the framework to meet their specific cybersecurity needs. It can be used to understand the critical elements of an organization's service delivery, making cybersecurity planning cost-effective.

NIST CSF 1.1 vs. NIST CSF 2.0: What is the difference?

NIST version 2.0 makes a range of improvements over the previous NIST guidelines. This update brings a long-running discussion into reality, the addition of "govern" as a core function. This inclusion is meant to “highlight the importance of governance and supply chains,” as described by NIST’s own publication.

Nithya Das, Chief Legal & Administrative Officer at Diligent, said about the inclusion of the governance function: “The latest framework [from NIST] demonstrates that cybersecurity is no longer an IT problem — it is an organization-wide problem, and one that management and the boards need to be up to speed on. The introduction of a governance function is cohesive with the SEC’s recently adopted cyber rules that require boards to demonstrate their oversight of cyber. Both cyber regulations and frameworks now state that providing executives and the board with an understanding of cyber risk and how it affects organizational objectives is a crucial piece to risk management.”

The table below highlights the key differences between NIST CSF 1.1 and NIST CSF 2.0 across various aspects of the framework:

How can this framework benefit your organization?

The NIST CSF 2.0 brings a range of benefits to all organizations. Security breaches and cyber threats can have a huge financial impact, alongside the impact made on reputation.

The framework can not only help organizations prevent, resolve and recover from serious cybersecurity incidents but also uncover positive opportunities. NIST offers this example on page 4 of their guide, “...first offering excess facility space to a commercial hosting provider for hosting their own and other organizations’ data centers, then moving a major financial system from the organization’s in-house data center to the hosting provider to reduce cybersecurity risks”

The NIST Cybersecurity Framework 2.0 helps organizations:

• Improve and support existing IT risk management plans
• Embed clear guidelines to prevent and resolve cybersecurity incidents
• Prepare for restoring normal operation after serious cybersecurity breaches
• Create a cybersecurity risk management process tailored to the organization's needs
• Encourage a systematic approach to cybersecurity
• Build an understanding of cybersecurity risks across the entire organization
• Clearly communicate cybersecurity risks to executives and board members

3 components of the NIST CSF 2.0

The NIST Cybersecurity Framework is made up of three components:

1. CSF Core: serves as the central framework for managing cybersecurity risks, comprising functions, categories and subcategories that delineate high-level cybersecurity outcomes. These outcomes are designed to be understood by individuals across all levels of an organization, from executives to practitioners, regardless of their cybersecurity expertise. Importantly, these outcomes are adaptable across various sectors, countries, and technologies, allowing organizations to tailor their approach to address their specific risks, technologies, and mission requirements.
2. CSF Organizational Profiles: These profiles provide a means for organizations to describe their current or desired cybersecurity posture using the outcomes defined in the CSF Core.
3. CSF Tiers: Tiers offer a method for characterizing the rigor of an organization's cybersecurity risk governance and management practices. They offer insights into how an organization perceives and manages cybersecurity risks, providing valuable context for stakeholders.

The 6 functions of the NIST Cybersecurity Framework 2.0

A vital part of the NIST Cybersecurity Framework are the six functions found within the core component. Each function represents an important step in cybersecurity risk management and contains an array of categories and subcategories.

The six functions are:

1. GOVERN (GV)

• Establishes and communicates the organization's cybersecurity risk management strategy, expectations, and policy
• Monitors and oversees the implementation of cybersecurity strategy
• Provides outcomes to prioritize actions for achieving goals of other functions in alignment with organizational mission and stakeholder expectations
• Critical for integrating cybersecurity into the broader enterprise risk management (ERM) strategy
• Addresses organizational context, cybersecurity strategy, supply chain risk management, roles, responsibilities, authorities and policy

2. IDENTIFY (ID)

• Understands the organization's current cybersecurity risks
• Identifies assets, suppliers, and related cybersecurity risks
• Prioritizes efforts based on risk management strategy and mission needs
• Identifies improvement opportunities for policies, plans, processes, procedures and practices supporting cybersecurity risk management.

3. PROTECT (PR)

• Implements safeguards to manage cybersecurity risks
• Secures assets to prevent or reduce the likelihood and impact of adverse cybersecurity events
• Outcomes include identity management, access control, awareness training, data security and platform resilience

4. DETECT (DE)

• Finds and analyzes possible cybersecurity attacks and compromises
• Enables timely discovery and analysis of anomalies and indicators of compromise
• Supports incident response and recovery activities

5. RESPOND (RS)

• Takes actions in response to detected cybersecurity incidents
• Supports containment of incident effects
• Outcomes include incident management, analysis, mitigation, reporting and communication

6. RECOVER (RC)

• Restores assets and operations affected by cybersecurity incidents
• Supports timely restoration of normal operations
• Enables appropriate communication during recovery efforts

Using the NIST Cybersecurity Framework

The NIST CSF 2.0 is optional for most private businesses or organizations. However, the value it brings to IT governance and risk management means it has become popular with organizations of all sizes.

The tiers component of the Cybersecurity Framework helps organizations implement it. Different levels of cybersecurity risk management are outlined, streamlining the process of embedding the framework.

It is both scalable and customizable. It can be used by organizations to create new cybersecurity processes as well as those with long-established IT risk management programs. Elements can be fine-tuned to fit the needs and budgets of both small and large organizations. It will take time and resources to properly embed the NIST Cybersecurity Framework, but the potential cost of a cybersecurity breach is much greater.

But with this latest update to NIST CSF 2.0, what should leaders do next? Das puts it this way: “For many business leaders, the next step beyond the recent NIST announcement is going to be assessing how cyber risk is viewed among other risks and priorities. Does your organization have the tools to support a consolidated view of risk in a single platform? Then, revisiting how cybersecurity insights are surfaced to management and the board. CISOs are faced with an overwhelming amount of IT and cyber risk data. Having software that can help you aggregate that data and organize it into a meaningful, consumable format will help tell the right story and facilitate more meaningful, productive conversations on cyber risk.”

Diligent can help manage threats across your organization

Today’s organizations face a rapidly evolving risk management landscape, and their IT and information security teams must ensure compliance with everchanging frameworks, standards and regulations in order to obtain the important security certifications they need to do business.

The NIST Cybersecurity Framework can be a catalyst for change inside your organization if it’s properly implemented using the right technology. There is only one solution on the market that offers a single source of truth among GRC functions and provides curated insights directly to the board and that’s Diligent One Platform.

Discover how the Diligent One Platform can enhance the way your organization implements standards and frameworks like NIST CSF 2.0.