NIST Cybersecurity Framework 2.0
On February 26, 2024, The U.S. National Institute of Standards and Technology (NIST) released the highly anticipated 2.0 version of their cybersecurity framework. The NIST Cybersecurity Framework (CSF) is a set of guidelines for mitigating organizational cybersecurity risks based on existing standards, guidelines, and practices. This updated version has an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to organizations in any sector. It also has a new focus on governance and supply chain issues and offers resources to speed up the framework’s implementation.
Understanding NIST CSF 2.0
In the ever-evolving landscape of cybersecurity, staying ahead of emerging threats and ensuring robust defense mechanisms is of foremost importance. Significant technological changes have occurred since the inception of the framework, in addition to a need for improvements in clarity, alignment, and implementation towards consistent use. CSF 2.0, which builds on previous versions, is designed to help organizations of all sizes and sectors, including industry, government, academia, and nonprofit, to manage and reduce their cybersecurity risks. Additionally, the CSF 2.0 update allows the framework to keep pace and create closer alignment with other commonly used NIST cyber frameworks, like SP 800-53.
Key enhancements
The following are the major changes to the framework from version 1.1 to 2.0:
- Inclusion of a ‘Govern’ Function - CSF 1.1 framework consists of five functions: Identify, Protect, Detect, Respond, and Recover. A new sixth function, ‘Govern’ has been added in CSF 2.0, to provide guidance, context, and the roles and responsibilities associated with developing a cybersecurity governance model.
- Incorporation and Expansion of ‘Supply Chain Risks’ – CSF 2.0 incorporates and expands upon the supply chain risk management outcomes contained in CSF 1.1, and groups most of these under the ‘Govern’ function.
- Enhanced Quick Start Guidance - Special attention is paid to the ‘Quick Start Guides’ to ensure the CSF is relevant and readily accessible by smaller organizations as well as their larger counterparts.
- Additional Implementation Support - Implementation examples have been added to provide practical and action-oriented processes to help users achieve the CSF subcategories. Additionally, the framework profiles have been revised and expanded to demonstrate the various purposes of the profiles.
- Integration with Emerging Technologies – The NIST AI Risk Management Framework addresses risks related to cybersecurity and privacy which new technologies, like artificial intelligence (AI), bring in. CSF 2.0 provides guidance to integrate these risks along with other existing enterprise risks (e.g., financial, cybersecurity, reputational, and privacy).
Understanding the ‘Govern’ function
The Govern function provides outcomes to inform what an organization may do to achieve and prioritize the outcomes of the other five functions in the context of its mission and stakeholder expectations. NIST's CSF 2.0 document states, "Governance activities are critical for incorporating cybersecurity into an organization's broader enterprise risk management (ERM) strategy, roles and responsibilities, policy, and oversight at an organization, as well as better support communication of cybersecurity risk to executives”. That doesn't mean governance comes before the rest of the functions – NIST makes clear that all six "should be addressed concurrently" – but, because the Govern function plays a critical role in the management and oversight of other functions in the framework, CSF 2.0 places this function at a different level in their updated model.
Importance of ‘Supply Chain Risk Management’
The 'Govern' function better establishes cybersecurity supply chain risk management as a central component of the CFS Core. According to the CSF 2.0 framework, given “the complex and interconnected relationships in this ecosystem, supply chain risk management (SCRM) is critical for organizations. Cybersecurity SCRM (C-SCRM) is a systematic process for managing exposure to cybersecurity risk throughout supply chains and developing appropriate response strategies, policies, processes, and procedures. The subcategories within the CSF C-SCRM Category [GV.SC] provide a connection between outcomes that focus purely on cybersecurity and those that focus on C-SCRM.”
Online resources to supplement the CSF
CSF 2.0 features a set of online informative references that help to show the connection between the CSF and other cybersecurity frameworks, standards, guidelines, and resources. Functionality to down select informative references will help organizations to build Profiles to implement the CSF. The Quick Start Guides (QSG) on several topics, including how to draft cybersecurity supply chain risk management, makes adoption of CSF easy. Implementation examples provide more practical guidance to implement the framework.
Integration with emerging technologies
As technologies like AI, blockchain, and the Internet of Things (IoT) become more prevalent, CSF 2.0 provides guidance to securely integrate these innovations into existing infrastructures. For example, CFS 2.0 can be used along with NIST’s AI Risk Management Framework published in January 2023.
How we help
As the CSF 2.0 points out, an important aspect of effective cybersecurity is to establish clear roles and responsibilities across the firm for cybersecurity activities to ensure independence of oversight and assessment of activities. Aponix can help your firm not only build your cybersecurity program, but our team of regulatory and technology experts can help ensure your program has the proper level of independent oversight and guidance. Our services include:
- Aponix ProtectTM is a cybersecurity and technology risk solution that helps you build a comprehensive risk management program tailored to your business needs.
- ACA Signature combines cybersecurity with compliance advisory services, innovative technology and managed services for a scalable solution that can help you gain expert insight, guidance, and support as you navigate emerging challenges.
Reach out to your ACA consultant, or contact us to find out how ACA can help secure your firm against cyber threats and comply with regulatory expectations.