NIST CSF 2.0: What you need to know

Organizations looking to protect their sensitive data and assets against cyberattacks may lack the ability to build a cybersecurity strategy without any structured help. The National Institute of Standards and Technology (NIST) has a free, public framework to help any organization mature its IT security posture. Recently, the institute published an updated version of the cybersecurity framework (CSF), NIST CSF 2.0, which contains a number of updates from the previous framework. I was recently part of a NIST 2.0 Webinar in which we discussed the value of using a framework for cybersecurity, the benefits of NIST CSF, and the changes from NIST 1.1 to NIST 2.0.

The Value of a Framework

Different frameworks exist for organizations to use to structure their path to a fortified security posture. A framework is a way to accelerate cybersecurity maturity and help with the adoption of new policies and measures. It provides a sense of structure for understanding and assessing risk and how to mitigate it.

Using a framework is much faster than building a cybersecurity strategy from scratch. Frameworks enable businesses to measure gradual progress based on metrics that would be difficult to quantify without a common language. Organizations can also use a framework to align policy, business, and technological approaches to managing cybersecurity risk.

Benefits of NIST CSF

The framework published by NIST has many benefits that businesses can reap. Because it has been developed by a standards organization, it is designed to meet a certain level of security. It is also easy to understand, free, and publicly available for any company to download and use.

It can be difficult for security teams to obtain the support of executives and boards, which can interfere with funding. The framework provides metrics by which to measure progress in the organization’s cybersecurity maturity journey. This makes it easier to point to concrete data showing the efficacy of the framework and obtain more C-level support for future security endeavors.

New Updates to NIST CSF

The original NIST CSF, released in 2014, was aimed mostly at critical infrastructure, but it has gained popularity in all sectors. NIST CSF 2.0 contains additional clarity on previous suggestions using common language and specific examples. It also includes a focus on target profiles—understanding, assessing, and prioritizing what needs to be done to mitigate risk and reach cybersecurity goals.

Governance Function

The older edition of NIST CSF had five primary functions: identifying, protecting, detecting, responding, and recovering. The biggest change in the most recent version is the addition of a sixth function: governance. This function helps organizations to understand new and evolving threats—like ransomware and AI-enabled attacks—and how to handle them, allowing for growth and the integration of new knowledge.

The most important features of the governance function are:

• Organizational Context: understanding circumstances surrounding cybersecurity risk management.
• Risk Management Strategy: priorities, constraints, and risk tolerance are established, communicated, and used to support operational risk decisions.
• Cybersecurity Supply Chain Risk Management: processes are identified, established, managed, monitored, and improved by stakeholders.
• Roles, Responsibilities, and Authorities: established and communicated to foster accountability, performance assessment, and continuous improvement.
• Policies, Processes, and Procedures: established, communicated, and enforced.
• Oversight: results of activities and performance are used to inform, improve, and adjust the risk management strategy.

Tips for Using NIST CSF 2.0

The new framework is clearer and more in-depth than the previous edition, but organizations may still require some guidance in order to use the framework to its fullest potential. Checking existing CSF profiles can help to determine where the gaps are in your organization. NIST also has the CSF reference tool to find particular examples of implementation.

Organizations are also recommended to ensure that business leaders are involved in the conversation surrounding the adoption of the CSF. It is vital for security and IT teams to work hand in hand with C-suite executives and boards to create a cybersecurity strategy that maximizes the success of the business. Everyone should be on the same page regarding drivers, objectives, and long-term business goals so security teams can make informed decisions.

It is also crucial for organizations to bear in mind the target profile and the threat landscape. Keeping one eye on the current state of the business and the other on the future, companies can anticipate trends and use the framework to smooth the process of their adaptation to new and evolving threats. The ability to change your approach to cybersecurity in response to threat trends is an important skill.

Conclusion

Using NIST CSF 2.0 can provide a great deal of support for any organization wanting to mature its cybersecurity posture. It helps businesses understand their cybersecurity maturity, define their cybersecurity goals, identify gaps between the current and target state, prioritize the gap remediation list, mitigate gaps, and reevaluate their maturity levels. This method of constant improvement, assessment, and adjustment enables organizations to establish and maintain a robust security strategy that has the ability to change to meet new threats as they arise.

The NIST CSF 2.0 is free and publicly available, and it uses a common language to make it easier to understand. Businesses can use this framework to assist in their cybersecurity maturity journey, providing guidance and structure for the process of fortifying cybersecurity measures and policies

Learn how Tripwire can help you utilize the NIST cybersecurity framework to reduce security risks and meet compliance requirements: https://www.tripwire.com/resources/datasheets/nist-800-171-compliance