Blog NIST Cybersecurity Framework – Here Comes Version 2

One of the standards that’s increasingly mentioned in the same breath as ISO27001, PCI DSS and Cyber Essentials when discussing information security is the NIST Cybersecurity Framework (CSF). In this article we’ll take a look at what this is, and how it’s being further developed into a more generally applicable standard.

A Bit of History

The National Institute of Standards and Technology (NIST) is a US government agency founded in 1901 by Congress (originally as the National Bureau of Standards), and forms part of the United States Department of Commerce. Initially focused on standardizing physical weights and measures, NIST’s role has expanded over time to cover many aspects of technology and its use, and included the investigation into the collapse of the World Trade Center as a result of the September 11th attacks⁽¹⁾, and more recently the issue of regulation and standards in artificial intelligence. Some aspects of NIST’s role are explicitly laid out in US legislation and in 2013 an Executive Order from President Obama mandated the creation of a Cybersecurity Framework (CSF)⁽²⁾, with the Cybersecurity Enhancement Act of 2014 placing further emphasis on NIST’s role in cybersecurity. The first version of the Framework was published in 2014 and it was updated in April 2018 with CSF 1.1.

The use of the Cybersecurity Framework was made compulsory for federal agencies by President Trump in an Executive Order in 2017.⁽³⁾ A strong aspect of the legislation dealing with the CSF is the need for it to stay up to date, to drive improvement and to encourage close cooperation between the private and public sectors. To this end, NIST embarked on the journey to CSF 2.0 with a comprehensive program of consultation, including a series of well-attended workshops and invitations for comment.

What Does the Cybersecurity Framework Look Like?

Version 2.0 of the CSF was published by NIST in February 2024, along with a variety of supportive tools on their website. The overall structure of the CSF remains the same and consists of the following building blocks:

• Functions – these are the highest-level groupings and are made up of:
  • (Govern – new in V 2.0)
  • Identify
  • Protect
  • Detect
  • Respond
  • Recover
• Categories – provide the next level of detail below functions, with between two and six categories in each function.
• Subcategories – this is where we get into the detail of the outcomes that we are looking to achieve. In some respects, these may be seen as similar to the requirements of ISO27001, although they are intended to be more general in nature with lots of room for interpretation and tailoring.
• Informative references – these map the subcategories onto specific parts of other common standards such as ISO27001 and CoBIT controls. The intention is to make all of these resources available to the organization when using the CSF.
• Tiers – a way of expressing the level of thoroughness that the organization aspires to, particularly in the area of risk management.
• Profiles – an assessment of where the organization currently is with regard to the CSF controls (current profile) and where it wants to be (target profile).

A key point to make is that, at the current time, there is no certification scheme for the CSF, so you can’t get a third party to verify your compliance. We wonder whether this will change in the medium future.

So What’s New in Version 2.0?

Version 2.0 of the CSF represents an “opening out” of the framework to position it as being generally applicable, not only to the public and private sectors in the USA, but also internationally. The emphasis is less on protecting critical infrastructure (although this is still a major goal) and more towards improving cybersecurity standards across the full range of industrial sectors, including within small and medium-sized businesses. This change is reflected in the new name of simply “Cybersecurity Framework”, compared to the previous name of “Framework for Improving Critical Infrastructure Cybersecurity”.

Another enhancement is the creation of the new “Govern” function, a cross-cutting set of categories intended to provide overall direction to the existing five functions, as shown below.

The Govern function consists of the following categories:

• Organizational Context
• Risk Management Strategy
• Roles, Responsibilities and Authorities
• Policy
• Oversight
• Cybersecurity Supply Chain Risk Management

Many of the sub-categories covered within the above list have been taken from the Identify function, with a few also being extracted from other functions within the CSF V1.1.

Other significant changes include:

• Informative references will now be provided online, to provide for easier and more frequent updating.
• Implementation examples will be provided to help with interpretation of the sub-categories.
• The use of tiers has been clarified.
• Revised guidance on how to create and use framework profiles.
• Clearer emphasis on improvement, with the creation of an Improvement category within the Identify function.

The Cybersecurity Framework V 2.0 builds on a lot of experience over the preceding ten years and is a welcome addition to any organization’s cybersecurity arsenal.

Is it Worth a Look?

In short, yes! The CSF has a lot of backing from the US government and is moving more into the mainstream from a purely federal focus. The new Govern function makes it look more like the ISO27001 standard in some respects, but the CSF places some useful emphasis on key areas such as supply chain cybersecurity and is a strong candidate for use as a high-level cybersecurity framework for organizations large and small.

Perhaps the main difference is the lack of a certification scheme, so you can’t prove your compliance to your stakeholders, but we’ll see how this area develops over the next year or so.

We’ll keep you updated with any new developments, and you can find out more on the NIST website.

CertiKit’s NIST CSF 2 Toolkit – Now Available.

The CertiKit NIST Cybersecurity Framework 2.0 toolkit is now available to purchase. The toolkit is aligned to the structure of the final published version of CSF 2.0. With 150+ expertly created documents, this toolkit has everything you need to implement the framework. With unlimited email support from our consultants, a perpetual license and lifetime updates, you’ll have everything you need to implement NIST CSF 2.0.

NIST have now released the final version of the Cybersecurity Framework 2.0. The toolkit has been updated to align to the latest version, and all existing CSF customers will receive the update free of charge.

View NIST CSF 2.0 Toolkit

Written by Ken Holmes, CertiKit’s Managing Director and Lead Toolkit Creator. Ken is a CISSP-qualified security and data protection specialist who also holds the internationally-recognised Certified Information Privacy Professional – Europe (CIPP/E).

Sources:

• • (1) NIST- World Trade Center Investigation
  • (2) NIST – History and creation of the framework
  • (3) GOV – President Trump executive order 2017