In celebration of its 10th anniversary, the National Institute of Standards and Technology (NIST) has finally updated its cybersecurity framework, now known as the NIST Cybersecurity Framework 2.0. This isn’t a minor facelift. It's a substantial revamp further improving what's already regarded as the gold standard of cyber risk management frameworks.
To learn about the key changes in NIST CSF 2.0, and how they could impact your cybersecurity posture improvement efforts, read on.
Top 4 NIST CSF 2.0 Changes
The top four most notable changes in NIST 2.0 are outlines below.
You can use this free NIST CSF risk assessment template to monitor how your vendors align with the updated NIST CSF framework.
1. Revamped respond and recover functions
Arguably, the most impactful change in NIST CSF 2.0 is its increased attention across Respond and Recover functions - functions receiving disproportionately less attention in version 1.1 of NIST CSF.
The Respond function now maps to cyber incident response outcomes that are actually impactful and not just addressed at a high level. To illustrate the more targeted nature of the response function of the new framework, here’s a comparison between the category lists of version 1.1 and version 2.
2. Introduction of a new(ish) function: Govern
The most prominent change in version two of the CSF is the addition of a Govern function, bringing the total number of core functions to six. Though an added partner to the original core, the Govern function isn’t actually entirely new. Much of its details are a consolidation of category information in version 1.1, making version 2.0 much neater and simpler to understand - an attribute that's now a defining aspect of the new and improved NIST CSF.
For example. In version 1.1 of NIST CSF, outcomes for Roles and Responsibilities were spread across PR.IP and ID.BE categories. Now, they’re conveniently consolidated in the Govern function.
The other benefit of integrating GRC outcomes into NIST CSF is that it allows non-technical stakeholders to understand how their governance duties intersect with cybersecurity risk management tasks, resulting in board members getting a seat in strategic cybersecurity decisions - an arrangement that's becoming an increasingly critical requirement.
Learn how to create a cybersecurity report board members will actually appreciate >
The sixth function (Govern) in NIST CSF 2.0 ensures stakeholders remain informed about cybersecurity practices and action plans.
3. Increased focus on supply chain risk management
With plenty of supply chain attacks occurring since NIST CSF was initially launched in 2014, NIST has expectantly increased its focus on Cybersecurity Supply Chain Risk Management (SCR.) in its new framework. Most of these outcomes are nested in the Govern function, giving stakeholders and C-suite staff more oversight into an attack vector, costing businesses an average of 4.76 USD million when exploited.
By 2025, 45% of organizations worldwide will have been impacted by a software supply chain attack, a three-fold increase since 2021.
- Source: Gartner
4. Expanded industry scope (and much clearer guidelines)
Though originally designed to help critical infrastructures bolster their cyber threat resilience in response to the 2013 Executive Order 13636, NIST CSF has been widely adopted by almost every industry for one simple reason - it just works, really, really well.
NIST CSF 2.0 is NIST’s attempt to rebrand its cyber framework from one that’s critical infrastructure-centric to one that’s more industry-agnostic. This shift isn’t just reflected in the framework’s new name (the official name of the first edition was Framework for Improving Critical Infrastructure Cybersecurity, now it’s known as The NIST Cybersecurity Framework (CSF) 2.0) but also it's much clearer communication.
For example, in NIST CSF Version 1.1, subcategory 1 of the Information Protection category was as follows:
- PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
Pretty confusing, right?
Now, compare this language to how the Platform Security subcategories are written in version 2.0:
- PR.PS-01: Configuration management practices are established and applied
- PR.PS-02: Software is maintained, replaced, and removed commensurate with risk
- PR.PS-03: Hardware is maintained, replaced, and removed commensurate with risk
- PR.PS-04: Log records are generated and made available for continuous monitoring
- PR.PS-05: Installation and execution of unauthorized software are prevented o PR.PS-06: Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle.
By expanding from the more technical critical infrastructure sector, NIST CSF 2.0 is now a helpful cybersecurity guide that can be easily understood by organizations of all sizes.
Clearer communication means that cybersecurity initiatives are now much simpler to communicate with stakeholders and board members who tend not to be comfortable with technical cybersecurity jargon.
Learn how UpGuard further closes the technical deficit between cybersecurity teams and stakeholders with its cybersecurity reporting features.
Find out more >
This expanded scope of focus also brings about other much-needed changes.
(a). We (finally) have implementation examples
Previously, users had to essentially offer their best guess to decipher the technical desired outcomes in NIST CSF. Now, in version 2.0, this veil of obscurity is completely removed with the addition of implementation examples - yes, NIST CSF 2.0 finally has tangible examples of how to achieve its desired outcomes!
For example, subcategory three of Organizational Context under the Govern function is as follows:
GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
There's a lot to unpack here, which increases the risk of being led down multiple needlessly convoluted implementation pathways.
But now, with the support of implementation examples, the guesswork is completely eradicated:
Implementation Examples: GV.OC-03
Ex1: Determine a process to track and manage legal and regulatory requirements
regarding protection of individuals’ information (e.g., Health Insurance Portability
and Accountability Act, California Consumer Privacy Act, General Data Protection
Regulation)
Ex2: Determine a process to track and manage contractual requirements for
cybersecurity management of supplier, customer, and partner information
Ex3: Align the organization’s cybersecurity strategy with legal, regulatory, and
contractual requirements
The public draft of NIST CSF 2.0 implementation examples can be accessed here.
By providing implementation examples in addition to a much clearer communication style, NIST CSF version 2.0 now makes the attainment of a resilient security posture a possibility for more businesses than ever before.
Implementation examples clarify the specific cybersecurity challenges being addressed, and shed a bright light on how to actually overcome them.
(b). Updated information references and quick start guides
To streamline implementation, NIST has overhauiled its information reference and quick start guides. Collectively, the quick start guide library addresses just about all dimensions of NIST CSF implementation, including how to use Community Profiles, and a guide on C-SCRM - a great resource for stakeholders and board members feeling a little apprehensive about their increased supply chain governance duties.
The revamped NIST CSF quick start guides allow security teams and stakeholders to jump straight into risk management strategy planning with minimal implementation friction.
The refreshed quick start guides allows everyone, regardless of their cyber experience, to benefit from the cyber risk mitigation advantages of NIST CSF, from small businesses to enterprise risk managers and CISOs.
Access the NIST CSF quick start library here.
Access the NIST CSF 2.0 reference tool here.
(c). Addition of community profile templates
NIST organizational profiles simplify the process of tailoring NIST CSF to an organization’s unique security objectives and intended outcomes - they help you bridge the gap between your current cybersecurity posture and your target cybersecurity posture.
Access the CSF 2.0 Organizational Profile template here.
For guidance with specific implementation use cases, the Cyber Risk Institute offers a profile template (in .xls format) mapping NIST CSF 2.0 to specific standards, such as FFIEC (CAT) and NYDFS. This template even includes a plan for utilizing NIST CSF 2.0 to achieve greater resilience against today’s most dangerous cybersecurity threat - ransomware.
Learn how to defend against ransomware with this ultimate guide >
