Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

What You Need to Know About the NIST Cybersecurity Framework 2.0

Massimiliano Mandolini, Product Marketing Director | November 19, 2024

Update: This blog has been updated to include the new CISA Cross-Sector Cybersecurity Performance Goals that are now organized to align with NIST CSF 2.0.

Ten years ago, the National Institute of Standards and Technology (NIST) released the Cybersecurity Framework (CSF) 1.0 following an Executive Order from President Obama to help companies and governments facing cybersecurity attacks.

In 2014, data breaches were escalating. Major Fortune 500 companies and household names, such as Target, Yahoo, 7-11, Visa, and more, experienced heaps of customer data theft, online fraud and attacks from malware. It was also the time of Edward Snowden and NSA information leaks – and criminal organizations skimming physical ATM machines.

The NIST Cybersecurity Framework has become one of the most widely recognized approaches to managing security risk in the world. It established five foundational functions: Identify, Protect, Detect, Respond and Recover.

 In 2018, version 1.1 was updated to include:

  • Authentication and identity
  • Self-assessing cybersecurity risk
  • Managing cybersecurity within the supply chain
  • Vulnerability disclosure

The latest version, NIST CSF 2.0, published in March 2024. It has been expanded to address where we are in today’s risk landscape and expanding attack surface.

Critical infrastructure hacked. Supply chains disrupted. Ransomware causing major financial and public safety problems. Between 2022 and 2023, ransomware grew by over 70%, according to the SANS Institute.

The NIST cybersecurity framework has been developed with help and feedback from risk, compliance and security practitioners from a wide set of industry verticals. So, the framework feels more inclusive – and is more flexible for a broader set of organizational sizes.

Governance is now front and center in version 2.0 – and speaks to a new official level of comprehensive risk management, and compliance organizations need given today’s threat environment.

“The Govern function aims to help organizations incorporate cybersecurity risk management into broader enterprise risk management programs by presenting ‘outcomes,’ or desired states, to inform what an organization may do to achieve and prioritize the outcomes of the other five functions,” explains Cynthia Brumfield, author of the book “Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework.”

See exactly how the Forescout Platform maps to NIST CSF 2.0

Get the eBook

Governance means leadership taking on more active and accountable role into cybersecurity policies which appears to be a consistent theme across standards and regulatory bodies.

“The CSF’s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation,” said Under Secretary of Commerce for Standards and Technology and NIST Director Laurie E. Locascio.

Making governance a priority is also a clear mandate for publicly traded companies that are under the Securities and Exchange Commission (SEC) in the US. Recent SEC rules mandate disclosure and analysis of security leadership functionally, its roles and responsibilities, and codifies exacting disclosure timelines for investors.

What Else Is New in NIST CSF 2.0?

Beyond the ‘Govern’ function, NIST CSF 2.0 emphasizes continuous control and continuous improvement. And it starts with clearer language that appeals to more industries. It includes a few new precise categories and subcategories that address risk-based control measurement. Data privacy is also addressed in every section.

Key Sections of the Framework

Framework Core is a set of cybersecurity activities, desired outcomes and applicable references that are common across critical infrastructure sectors. It consists of six concurrent and continuous Functions: Govern, Identify, Protect, Detect, Respond and Recover.

Implementation Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework, over a range from Partial (Tier 1) to Adaptive (Tier 4).

Framework Profile represents the Core Functions’ Categories and Subcategories prioritized by an organization based on business needs and can be used to measure the organization’s progress toward the Target Profile.

Organizational Profiles are customizable structures that allow organizations to align their actions, policy and objectives to the Core Framework.

Informative References are guidelines and practices that outline how to achieve the business and technical outcomes defined. NIST provides downloadable implementation examples too.

NIST also provides a repository of quick start guides – including by business type, such as small business or enterprise – and it includes a section on Cybersecurity Supply Chain Risk Management (C-SCRM) to help organizations “become smarter acquirers and suppliers of technology products and services.”

Go deeper. Get the eBook.

Challenges of NIST

Because it is a framework and not a regulation, NIST adoption and adherence can have its challenges. It is no easy task to appeal and apply to every situation or technology infrastructure. But as an approach, it is one of the most widely used in the world. Here’s how Brumfield explains the situation:

“Since the framework’s inception, NIST has taken care not to prescribe any particular steps organizations should take, given that every organization has unique technical and resource configurations. Instead, NIST has referred to outcomes, which some argue offer little practical guidance on what specific actions organizations should take.”

CISA’s Cross-Sector Cybersecurity Performance Goals Are Now Aligned with NIST CSF 2.0

The US Cybersecurity & Infrastructure Security Agency (CISA) has released Cross-Sector Cybersecurity Performance Goals (CPGs) that are a subset of cybersecurity practices “selected through a thorough process of industry, government, and expert consultation, aimed at meaningfully reducing risks to both critical infrastructure operations and the American people.”

In 2024, CISA released Sector-Specific Goals (SSGs) that are tailored for organizations in select critical infrastructure sectors including:

And, according to CISA, there are two more set to release this year:

  • Information Technology Sector SSGs
  • Financial Services Sector SSGs

CISA identifies that there are 16 critical infrastructure sectors with unique needs, including:

  • Chemicals
  • Commercial Facilities Sector
  • Communications
  • Critical Manufacturing
  • Dams
  • Defense Industrial Base
  • Emergency Services
  • Energy
  • Financial Services
  • Food and Agriculture
  • Government Services and Facilities
  • Healthcare and Public Health
  • Information Technology
  • Nuclear Reactors, Materials, and Waste
  • Defense Industrial Base
  • Emergency Services

How Forescout Maps to the NIST Cybersecurity Framework 2.0

To maximize the adaptability of the NIST cybersecurity framework across industries and sizes of operations, it is important to align these core capabilities with your organization’s specific threat landscape, risk profile, and business requirements.

Our solutions map to these areas:

  • Cybersecurity maturity assessment
  • Adaptable risk management
  • Industry-specific security profiles
  • Collaborative threat intelligence
  • Policy management
  • Assets and systems intelligence
  • Advanced threat protection and response
  • Automated Security Operations Centers
  • Recovery and resilience

See exactly how the Forescout Platform maps to NIST CSF 2.0

Get the eBook

Demo RequestForescout PlatformTop of Page