When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.
One of the standards that’s increasingly mentioned in the same breath as ISO27001, PCI DSS and Cyber Essentials when discussing information security is the NIST Cybersecurity Framework (CSF). In this article we’ll take a look at what this is, and how it’s being further developed into a more generally applicable standard.
The National Institute of Standards and Technology (NIST) is a US government agency founded in 1901 by Congress (originally as the National Bureau of Standards), and forms part of the United States Department of Commerce. Initially focused on standardizing physical weights and measures, NIST’s role has expanded over time to cover many aspects of technology and its use, and included the investigation into the collapse of the World Trade Center as a result of the September 11th attacks(1), and more recently the issue of regulation and standards in artificial intelligence. Some aspects of NIST’s role are explicitly laid out in US legislation and in 2013 an Executive Order from President Obama mandated the creation of a Cybersecurity Framework (CSF)(2), with the Cybersecurity Enhancement Act of 2014 placing further emphasis on NIST’s role in cybersecurity. The first version of the Framework was published in 2014 and it was updated in April 2018 with CSF 1.1.
The use of the Cybersecurity Framework was made compulsory for federal agencies by President Trump in an Executive Order in 2017.(3) A strong aspect of the legislation dealing with the CSF is the need for it to stay up to date, to drive improvement and to encourage close cooperation between the private and public sectors. To this end, NIST embarked on the journey to CSF 2.0 with a comprehensive program of consultation, including a series of well-attended workshops and invitations for comment.
Version 2.0 of the CSF was published by NIST in February 2024, along with a variety of supportive tools on their website. The overall structure of the CSF remains the same and consists of the following building blocks:
A key point to make is that, at the current time, there is no certification scheme for the CSF, so you can’t get a third party to verify your compliance. We wonder whether this will change in the medium future.
Version 2.0 of the CSF represents an “opening out” of the framework to position it as being generally applicable, not only to the public and private sectors in the USA, but also internationally. The emphasis is less on protecting critical infrastructure (although this is still a major goal) and more towards improving cybersecurity standards across the full range of industrial sectors, including within small and medium-sized businesses. This change is reflected in the new name of simply “Cybersecurity Framework”, compared to the previous name of “Framework for Improving Critical Infrastructure Cybersecurity”.
Another enhancement is the creation of the new “Govern” function, a cross-cutting set of categories intended to provide overall direction to the existing five functions, as shown below.
The Govern function consists of the following categories:
Many of the sub-categories covered within the above list have been taken from the Identify function, with a few also being extracted from other functions within the CSF V1.1.
Other significant changes include:
The Cybersecurity Framework V 2.0 builds on a lot of experience over the preceding ten years and is a welcome addition to any organization’s cybersecurity arsenal.
In short, yes! The CSF has a lot of backing from the US government and is moving more into the mainstream from a purely federal focus. The new Govern function makes it look more like the ISO27001 standard in some respects, but the CSF places some useful emphasis on key areas such as supply chain cybersecurity and is a strong candidate for use as a high-level cybersecurity framework for organizations large and small.
Perhaps the main difference is the lack of a certification scheme, so you can’t prove your compliance to your stakeholders, but we’ll see how this area develops over the next year or so.
We’ll keep you updated with any new developments, and you can find out more on the NIST website.
The CertiKit NIST Cybersecurity Framework 2.0 toolkit is now available to purchase. The toolkit is aligned to the structure of the final published version of CSF 2.0. With 150+ expertly created documents, this toolkit has everything you need to implement the framework. With unlimited email support from our consultants, a perpetual license and lifetime updates, you’ll have everything you need to implement NIST CSF 2.0.
NIST have now released the final version of the Cybersecurity Framework 2.0. The toolkit has been updated to align to the latest version, and all existing CSF customers will receive the update free of charge.
Written by Ken Holmes, CertiKit’s Managing Director and Lead Toolkit Creator. Ken is a CISSP-qualified security and data protection specialist who also holds the internationally-recognised Certified Information Privacy Professional – Europe (CIPP/E).
Sources: