On August 8, 2023, NIST published the initial public draft for version 2.0 of its Cybersecurity Framework (NIST CSF 2.0). This is the first update since 1.1 was released in 2014, so it was due. We’re going to break down the framework, the updates, and the differences from its previous version.
What is NIST CSF?
For those unaware, NIST is the National Institute of Standards and Technology—part of the United States Department of Commerce. Effectively, this body was developed to foster technological and industrial advancement—and to set standards for science and technology.
The CSF is NIST’s cybersecurity framework. Developed in 2004, this framework created standards, guidelines, and best practices to help businesses and organizations manage their cybersecurity risk.
Who Uses NIST CSF?
While NIST is not a regulatory body and the NIST CSF is not a regulatory requirement, it is a requirement for government agencies. Companies who work with those agencies are often asked to comply as a result.
It is estimated that nearly half of all U.S. organizations had adopted NIST CSF by 2020.
For those reasons, it is widely accepted as an industry standard framework in the information security space. FRSecure has even mapped to NIST controls into our risk assessment.
How Many Controls Are There in NIST CSF?
In the most recent version of NIST CSF, there are 23 categories of controls. Within those categories, there are 108 subcategories.
These controls span five function areas:
- Identify
- Protect
- Detect
- Respond
- Recover
What Are the Differences Between NIST CSF 1.1 and NIST CSF 2.0?
We’re only about a month from the release of the draft of NIST CSF 2.0. And given that the draft will not be open to comments until November 5, what is reviewed here may not reflect the final release. However, I expect it to be close, and this at least allows organizations to become familiar with it before its official launch.
When Will NIST CSF 2.0 Be Released?
First, we need to know when to be ready for this. As mentioned before, comments on the draft will not be open until November 2023.
The developers plan to publish the final version of NIST CSF 2.0 in early 2024.
NIST CSF 2.0 Updates
Govern Function
The first major update is that there is now a sixth function, Govern, that sits inside the center of the wheel. Its place there is because it is intended to inform organizations how to implement the other five functions.
Renaming of the Framework
The second major update is that they have officially renamed it from “Framework for Improving Critical Infrastructure Cybersecurity” to “Cybersecurity Framework.” NIST also changed the scope from critical infrastructure, as it was known under 1.1, to reflect the broad use across all organizations.
What Do These Changes Mean?
The primary change we’ll see is a realignment of controls. Given that the original five functions included governance of those functions, we’ll certainly see controls be shuffled into this new function.
We’re also likely to see brand new proposed subcategories under the govern function.
NIST also rewrote the subcategories, primarily so they are more understandable to the public.
NIST CSF 2.0 Realignment
An example of the realignment is shown below. To me, this makes perfect sense for the govern function and its use as supply chain risk management feels like a more natural fit as a govern function than an identify function.
- Supply Chain Risk Management (ID.SC): Dropped (moved to GV.SC)
- ID.SC-01: Dropped (moved to GV.SC-01)
- ID.SC-02: Dropped (moved to GV.SC-03, GV.SC-07)
- ID.SC-03: Dropped (moved to GV.SC-05)
- ID.SC-04: Dropped (moved to GV.SC-07)
- ID.SC-05: Dropped (moved to GV.SC-08, ID.IM-02)
NIST CSF Govern Function
Now, let’s take a little bit of a deeper dive into the Govern function.
NIST defines the goal of this new function as to “establish and monitor the organization’s cybersecurity risk management strategy, expectations, and policy.”
Well, so much for the public understandability improvements…
But seriously, what is nice about the function is it defines the requirements for executive leadership and stakeholder expectations. In other words, it’s clearly defining what we’ve been saying for years:
To have a successful cybersecurity program, you have GOT to have buy-in and support from the highest levels of the organization.
You can see from the categories within Govern that NIST is emphasizing that cybersecurity is an organizational risk and cannot simply be an afterthought.
Function | Category | Category Identifier |
Govern (GV) | Organizational Context | GV.OC |
Risk Management Strategy | GV.RM | |
Cybersecurity Supply Chain Risk Management | GV.SC | |
Roles, Responsibilities, and Authorities | GV.RR | |
Policies, Processes, and Procedures | GV.PO | |
Oversight | GV.OV |
There are also a fair number of new controls in Govern such as:
- GV.OC-02: Internal and external stakeholders are determined, and their needs and expectations regarding cybersecurity risk management are understood.
- GV.RM-05: Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties.
If those don’t hammer home that cybersecurity is an all-hands program for organizations, I’m not sure what more we can do.
NIST CSF 2.0 Category Adjustments
A few categories were also renamed in NIST CSF 2.0 to better reflect the intent. Others were reorganized and removed. For example, Information Protection Processes and Procedures (PR.IP) were not in the NIST CSF 2.0 draft—all its subcategories were moved into other categories for better alignment.
While it will be important to understand where they end up, I don’t see it being an issue for most. If you are following CSF 1.1, the control is still going to be covered.
They also added new categories.
Platform Security (PR.PS) and Technology Infrastructure Resilience (PR.IR) are good examples of new categories that better reflect the current cybersecurity environment. They include a mixture of subcategories that were moved and brand-new subcategories as well.
Looking at the rewording of controls next we find that the spirit is still the same, but they are now more focused on an active program versus doing it and saying it’s done.
ID.AM 1 and ID.AM2 are great examples of this.
Subcategory | V1.1 | V2.0 Draft |
ID.AM1 | Physical devices and systems within the organization are inventoried | Inventories of hardware managed by the organization are maintained |
ID.AM2 | Software platforms and applications within the organization are inventoried | Inventories of software, services, and systems managed by the organization are maintained |
This proactive, ongoing approach is found throughout 2.0 and I am very happy to see this change. Often, we see organizations say, “Yes we have an asset inventory” only to find out it hasn’t been updated in more than six months.
“The only constant in information security is change.”
If you are not proactive—continually working on your security posture—you will backslide and put yourself at a higher risk than you need to.
Final Thoughts
Is the NIST CSF 2.0 draft perfect? No.
Is it a big step forward for making cybersecurity more understandable, and hopefully improving adoption? Yes.
In all, few things have changed. NIST CSF 1.1 bolstered 22 categories and 108 subcategories. NIST CSF 2.0 contains 23 categories and 106 subcategories. And, outside of an added emphasis on comprehension, governance, and stakeholder obligations, many of the concepts remain constant.
The best way to remain ahead of these changes? Build a security-first culture from the top down in every department of your business and get a comprehensive risk assessment so you already have an understanding of your biggest risks and how to mitigate them.
If you need any help with NIST CSF 2.0, risk management, or information security in general, don’t hesitate to reach out. We’re happy to help.