What You Need to Know About the NIST Cybersecurity Framework 2.0
Ten years ago, the National Institute of Standards and Technology (NIST) released the Cybersecurity Framework (CSF) 1.0 following an Executive Order from President Obama to help companies and governments facing cybersecurity attacks.
In 2014, data breaches were escalating. Major Fortune 500 companies and household names, such as Target, Yahoo, 7-11, Visa, and more, experienced heaps of customer data theft, online fraud and attacks from malware. It was also the time of Edward Snowden and NSA information leaks – and criminal organizations skimming physical ATM machines.
The NIST Cybersecurity Framework has become one of the most widely recognized approaches to managing security risk in the world. It established five foundational functions: Identify, Protect, Detect, Respond and Recover.
In 2018, version 1.1 was updated to include:
- Authentication and identity
- Self-assessing cybersecurity risk
- Managing cybersecurity within the supply chain
- Vulnerability disclosure
The latest version, NIST CSF 2.0, published in March 2024. It has been expanded to address where we are in today’s risk landscape and expanding attack surface.
Critical infrastructure hacked. Supply chains disrupted. Ransomware causing major financial and public safety problems. Between 2022 and 2023, ransomware grew by over 70%, according to the SANS Institute.
The NIST cybersecurity framework has been developed with help and feedback from risk, compliance and security practitioners from a wide set of industry verticals. So, the framework feels more inclusive – and is more flexible for a broader set of organizational sizes.
Governance is now front and center in version 2.0 – and speaks to a new official level of comprehensive risk management, and compliance organizations need given today’s threat environment.
“The Govern function aims to help organizations incorporate cybersecurity risk management into broader enterprise risk management programs by presenting ‘outcomes,’ or desired states, to inform what an organization may do to achieve and prioritize the outcomes of the other five functions,” explains Cynthia Brumfield, author of the book “Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework.”
Governance means leadership taking on more active and accountable role into cybersecurity policies which appears to be a consistent theme across standards and regulatory bodies.
“The CSF’s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation,” said Under Secretary of Commerce for Standards and Technology and NIST Director Laurie E. Locascio.
Making governance a priority is also a clear mandate for publicly traded companies that are under the Securities and Exchange Commission (SEC) in the US. Recent SEC rules mandate disclosure and analysis of security leadership functionally, its roles and responsibilities, and codifies exacting disclosure timelines for investors.
What Else Is New in NIST CSF 2.0?
Beyond the ‘Govern’ function, NIST CSF 2.0 emphasizes continuous control and continuous improvement. And it starts with clearer language that appeals to more industries. It includes a few new precise categories and subcategories that address risk-based control measurement. Data privacy is also addressed in every section.
Key Sections of the Framework
Framework Core is a set of cybersecurity activities, desired outcomes and applicable references that are common across critical infrastructure sectors. It consists of six concurrent and continuous Functions: Govern, Identify, Protect, Detect, Respond and Recover.
Implementation Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework, over a range from Partial (Tier 1) to Adaptive (Tier 4).
Framework Profile represents the Core Functions’ Categories and Subcategories prioritized by an organization based on business needs and can be used to measure the organization’s progress toward the Target Profile.
Organizational Profiles are customizable structures that allow organizations to align their actions, policy and objectives to the Core Framework.
Informative References are guidelines and practices that outline how to achieve the business and technical outcomes defined. NIST provides downloadable implementation examples too.
NIST also provides a repository of quick start guides – including by business type, such as small business or enterprise – and it includes a section on Cybersecurity Supply Chain Risk Management (C-SCRM) to help organizations “become smarter acquirers and suppliers of technology products and services.”
Go deeper. Get the eBook.
Challenges of NIST
Because it is a framework and not a regulation, NIST adoption and adherence can have its challenges. It is no easy task to appeal and apply to every situation or technology infrastructure. But as an approach, it is one of the most widely used in the world. Here’s how Brumfield explains the situation:
“Since the framework’s inception, NIST has taken care not to prescribe any particular steps organizations should take, given that every organization has unique technical and resource configurations. Instead, NIST has referred to outcomes, which some argue offer little practical guidance on what specific actions organizations should take.”
How Forescout Maps to the NIST Cybersecurity Framework 2.0
To maximize the adaptability of the NIST cybersecurity framework across industries and sizes of operations, it is important to align these core capabilities with your organization’s specific threat landscape, risk profile, and business requirements.
Our solutions map to these areas:
- Cybersecurity maturity assessment
- Adaptable risk management
- Industry-specific security profiles
- Collaborative threat intelligence
- Policy management
- Assets and systems intelligence
- Advanced threat protection and response
- Automated Security Operations Centers
- Recovery and resilience