NIST Cybersecurity Framework 2.0: Preparing for the Future of Information Security
The NIST Cybersecurity Framework (CSF or Framework) guides organizations to understand better, manage, reduce, and communicate cybersecurity risks. It is a foundational and essential resource used by all sectors worldwide. Despite evolving cybersecurity risks, many respondents to the NIST Cybersecurity RFI reported that the CSF effectively addresses cybersecurity risks by facilitating governance and risk management programs and enhancing communication within and across organizations. The CSF has been adopted voluntarily and in governmental policies and mandates worldwide, reflecting its enduring and flexible nature to transcend risks, sectors, technologies, and national borders.
The modifications from CSF 1.1 are intended to increase clarity, ensure a consistent level of abstraction, address changes in technologies and risks, and improve alignment with national and international cybersecurity standards and practices. While many organizations have told NIST that CSF 1.1 is still effective in addressing cybersecurity risks, NIST believes these changes will make it easier for organizations to address their current and future cybersecurity challenges more effectively.
The new draft identifies the potential Functions, Categories, and Subcategories of the NIST Cybersecurity Framework (CSF) 2.0 Core. In its preliminary stage, the early draft of the NIST CSF 2.0 Core covers cybersecurity outcomes across six functions, 21 categories, and 112 subcategories. It is intended to increase the transparency of the update process and promote discussion to generate concrete suggestions for improving the framework.
The Road Map
The graphic below highlights key milestones of the development and continued advancement of the Cybersecurity Framework. Following the graphic is an illustrative list of all key and intermediary dates and events in chronological order.
Along with the more high-level changes to the NIST CSF, there will also be content changes to the framework itself. One of the more significant changes announced is introducing a new function, Governance. This new function will better expand on existing categories within the Identify function, such as ID.GV, ID.RM, and ID.RA. These changes convey the priority of understanding how to manage risks and threats that organizations face and allowing for more-detailed and measurable data to be generated on these topics.
Similar to v1.1, NIST has identified the need to expand on the current categories addressing managing a supply chain from a security perspective. Security professionals can look to v2.0 to better address these topics in a market landscape increasingly dependent on external service providers.
LEARN CYBERSECURITY IN 2024
Check out our comprehensive cybersecurity course and enhance your knowledge in the field! Join now to learn the essential skills and techniques to protect yourself and others in the digital world. Don’t miss this opportunity to become a cybersecurity expert!
Remain technology- and vendor-neutral, but reflect changes in cybersecurity practices.
CSF 2.0 will remain technology- and vendor-neutral. NIST recognizes that the technology landscape has changed significantly since the initial publication of the CSF. While RFI comments proposed that the Framework address specific topics, technologies, and applications in CSF updates, others cautioned against jeopardizing the broad applicability of the CSF. To remain technology-neutral, NIST will work to review the CSF so that its general outcomes can continue to be leveraged by organizations regardless of the technology or services they employ, including IT, IoT, OT, and cloud services.
Add a new Govern Function
Reflecting substantial input to NIST, CSF 2.0 will include a new “Govern” Function to emphasize cybersecurity risk management governance outcomes. While the five CSF Functions have gained widespread adoption in national and international policies, including ISO standards, NIST believes there are many benefits to expanding the consideration of governance in CSF 2.0. This new crosscutting Function will highlight that cybersecurity governance is critical to managing and reducing cybersecurity risk. Cybersecurity governance may include determining priorities and risk tolerances of the organization, customers, and larger society; assessing cybersecurity risks and impacts; establishing cybersecurity policies and procedures; and understanding cybersecurity roles and responsibilities. These activities are critical to identifying, protecting, detecting, responding, and recovering across the organization, as well as overseeing others who carry out cybersecurity activities for the organization, including within the supply chain of an organization. Elevating governance activities to a Function would also promote aligning cybersecurity activities with enterprise risks and legal requirements.
Improve discussion of relationship to risk management
Revising the CSF offers an opportunity to clarify the relationship between governance and cybersecurity risk management across the CSF narrative and Core. CSF 2.0 will describe how an underlying risk management process is essential for identifying, analyzing, prioritizing, responding to, and monitoring risks, how CSF outcomes support risk response decisions (accept, mitigate, transfer, avoid), and various examples of risk management processes (e.g., Risk Management Framework, ISO 31000) that can be used to underpin CSF implementations.
Expand coverage of the supply chain
Managing cybersecurity within the supply chain was one of the key additions in the last update to the CSF. Since then, even more, attention has been paid to developing guidance to increase trust and assurance in technology products and services, including guidance developed under the Executive Order “Improving the Nation’s Cybersecurity” (EO 14028). CSF 1.1 added the CSF “Supply Chain Risk Management” (ID.SC) Category; expanded Section 3.3, Communicating Cybersecurity Requirements with Stakeholders, to better understand C-SCRM; added a new Section 3.4, Buying Decisions, to highlight the use of the Framework in understanding risks associated with off-the-shelf products and services; and incorporated CSCRM criteria into CSF Tiers. In addition, third-party management is included as a consideration as part of broader CSF outcomes across the Framework Functions.
Preparing for NIST CSF v2.0: Changes, Challenges, and Opportunities
The impact of this release should be simple for organizations that already leverage the current iteration of the framework as a tool to improve their information security program. The additional resources that NIST is working to produce alongside v2.0’s release should provide leaders and security professionals with the support they need in transitioning to the new CSF.
With the material changes being implemented, organizations may face minor difficulties conducting year-over-year security program analyses after the initial release. Most content in the CSF will remain the same and should not drastically change any metrics being tracked over time.
Similarly, organizations should prepare for third-party risk assessment based on NIST 2.0 to look slightly different. The new governance function and supply chain content will bring a higher level of scrutiny to these topics that security program stakeholders should be prepared for. Additionally, implementation guidance will become a regular talking point between stakeholders and assessors to provide reasoning and support for current processes and discuss future projects and improvements. Overall, we expect v2.0 to help more than hinder, but organizations should be prepared in advance to apply a different approach and strategy to use this new framework.
If you want to strengthen your organization’s cybersecurity program and need assistance navigating the upcoming changes to NIST Cybersecurity Framework, contact the EasyCompliance team of industry experts today.
