The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) has been a stalwart ally for organizations for years, providing guidance on understanding, evaluating and communicating about cybersecurity risks.
The release of NIST CSF 2.0, expected in early 2024, provides a paradigm shift. This blog post provides an in-depth exploration of the structure of the NIST CSF and the key changes coming in version 2.0.
Components of the NIST Cybersecurity Framework
The NIST CSF emerged in response to a 2013 Executive Order that tasked NIST with collaborating with the private sector to design a cybersecurity framework for managing cyber risk. The result was a voluntary framework that offers guidance based on established standards and best practices and comprises three foundational components:
- Core: The Core delineates desired cybersecurity outcomes, which are organized into Functions, Categories and Subcategories. Notably, it does not dictate specific methods for achieving those outcomes but instead gives organizations the flexibility to implement controls tailored to their unique needs.
- Tiers: The four tiers — Partial, Risk Informed, Repeatable and Adaptive — provide an assessment of how well an organization’s current cybersecurity risk management practices achieve the outcomes defined in the Core. Organizations can determine their desired tier based on goals, risk tolerance, skillset, and budget.
- Profiles: Profiles allow organizations to optimize the CSF according to their unique needs. In particular, by creating “Current” and “Target” profiles, organizations perform a gap analysis to identify opportunities for improving their cybersecurity posture, prioritize actions, estimate costs and create a targeted action plan.
Key Changes in NIST CSF 2.0
NIST CSF 2.0, which is currently in draft form and was open for public comment until November 4, 2023, introduces several significant changes to its scope:
Expanded Scope:
- Title shortened to “Cybersecurity Framework” to reflect broader usage.
- Explicit guidance extended to organizations of all sizes, sectors, and maturity levels.
- Emphasis on enabling smaller businesses to effectively utilize the framework.
Changes to Core Functions:
- Introduction of a sixth function, “Govern,” emphasizing governance-related outcomes.
- Restructuring of the existing functions—Identify, Protect, Detect, Respond, and Recover.
- Key goals outlined for each function, with several categories moved to the new Govern function.
Govern Function:
- A new foundational function addressing cybersecurity risk management strategy, expectations, and policies.
- Outcomes previously under Identify moved to Govern, including new categories like Oversight.
- Elevates the importance of governance, aligning cybersecurity with overall enterprise risk.
Expanded Guidance Around Profiles:
- Substantial revisions and expansions to profile guidance.
- In-depth examples and steps for creating and using profiles.
- Appendix A provides a template for creating a profile and an excerpt of a notional action plan template.
Many components originally categorized under “Identify” have undergone a transformation in NIST CSF 2.0, with many either split or entirely transferred to the new “Govern” function. The noteworthy shift is particularly evident in the “Oversight” segment, which underscores the overarching governance principles. This strategic restructuring involves elements that delve into policies and procedures, emphasizing not only the security aspect but also the internal organizational measures essential for seamless functionality.
The consolidation of these elements into a singular function holds significant importance for two pivotal aspects: transparency and accountability. The incorporation of “Oversight” serves a crucial purpose, aligning with regulatory frameworks such as SEC regulations, where there is a heightened emphasis on the responsibility of the Board of Directors and senior management. This collective responsibility underscores the imperative role these entities play in making substantive decisions pertaining to IT security.
Below, we break down the key elements of NIST CSF 2.0, exploring its expanded scope, changes to core functions, the introduction of the “Govern” function, and the enriched guidance around profiles.
Changes to Core Functions
Perhaps the most anticipated change in NIST CSF 2.0 is the introduction of a new core function and restructuring of the five existing functions:
Introduction of a Sixth Function: “Govern”
NIST CSF 2.0 introduces a new “Govern” function, underscoring the critical role of governance in cybersecurity risk management. It acts as a unifying force that helps organizations prioritize and achieve outcomes specified in the other five functions and elevates the core goals of transparency and accountability. It emphasizes that cybersecurity is not a standalone concern but an integral part of enterprise risk.
In particular, the Oversight component of the new function helps organizations align with regulatory frameworks, such as SEC regulations, that place a heightened emphasis on the responsibility of the Board of Directors and senior management when making decisions pertaining to IT security.
Restructuring of the Original Functions
The five original functions (Identify, Protect, Detect, Respond, and Recover) have been revised to enhance clarity and relevance, and governance-related components have been moved to the new Govern function. In addition, key goals for each function are now explicitly outlined. This restructuring aims to facilitate a more coherent and interconnected approach to cybersecurity, acknowledging that these functions are not linear steps but rather interdependent components of a comprehensive cybersecurity strategy.
Expanded Guidance around Profiles
To meet evolving cybersecurity needs, NIST CSF 2.0 includes substantial revisions and expansions to the guidance around profiles to help organizations utilize profiles effectively. The update includes:
- Examples and step-by-step instructions — NIST CSF 2.0 provides in-depth examples of profiles and detailed steps for their creation and use, helping organizations use the framework effectively to address their unique cybersecurity needs and objectives.
- Profile template — Appendix A offers a profile template to help organizations create profiles that will help them achieve the outcomes detailed in the Core. A list of additional elements that can be incorporated into a profile enhances its utility.
How Netwrix can help
Netwrix solutions provide organizations with real-time visibility into their IT environments, empower them to align with the six key functions of NIST CSF 2.0. In particular, they can accurately identify and categorize their IT assets both on premises and in the cloud, identify and remediate cybersecurity risks, promptly spot and respond to active threats, and speed recovery and post-incident analysis. Data access governance (DAG) solutions are especially suited to the new Govern function of NIST CSF 2.0.
The expanded scope, core function adjustments and enriched guidance around profiles in NIST CSF 2.0 position the framework as a dynamic and indispensable tool for organizations worldwide. Indeed, embracing the changes in NIST CSF 2.0 is a strategic imperative for any organization committed to fortifying its cybersecurity posture.
Stay tuned for further updates as we approach the expected release of NIST CSF 2.0 in early 2024.