This guide provides an overview of the NIST Cybersecurity Framework 2.0 and outlines the key stages for compliance.
As well as the information below, use the free resources links below to find out more information and guidance on the framework.
Free NIST CSF 2.0 Resources Links:
The National Institute of Standards and Technology (NIST) is a US government agency founded in 1901 by Congress (originally as the National Bureau of Standards), and forms part of the United States Department of Commerce. Initially focused on standardizing physical weights and measures, NIST’s role has expanded over time to cover many aspects of technology and its use and included the investigation into the collapse of the World Trade Center as a result of the September 11th attacks. Some aspects of NIST’s role are explicitly laid out in US legislation and in 2013 an Executive Order from President Obama (EO 13636 – “Improving Critical Infrastructure Cybersecurity”) mandated the creation of a Cybersecurity Framework (CSF), with the Cybersecurity Enhancement Act of 2014 placing further emphasis on NIST’s role in cybersecurity. The first version of the Framework was published in 2014 and it was updated in April 2018 with CSF 1.1.
The use of the Cybersecurity Framework was made compulsory for federal agencies by President Trump in an Executive Order (EO 13800 – “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure”) in 2017. A strong aspect of the legislation dealing with the CSF is the need for it to stay up to date, to drive improvement and to encourage close cooperation between the private and public sectors. To this end, NIST has embarked on the journey to CSF 2.0 with a comprehensive program of consultation, including a series of well-attended workshops and invitations for comment.
Version 2.0 of the CSF represents an “opening out” of the framework to position it as being generally applicable, not only to the public and private sectors in the USA, but also internationally. The emphasis is less on protecting critical infrastructure (although this is still a major goal) and more towards improving cybersecurity standards across the full range of industrial sectors, including within small and medium-sized businesses. This change is reflected in the new name of simply “Cybersecurity Framework”, compared to the previous name of “Framework for Improving Critical Infrastructure Cybersecurity”.
Another obvious enhancement is the creation of the new “Govern” function, a cross-cutting set of categories intended to provide overall direction to the existing five functions, as shown below.
The Govern (GV) function consists of the following categories:
Many of the subcategories covered within the above list have been taken from the Identify (ID) function, with a few also being extracted from other functions within the CSF V1.1.
Other significant changes include:
The NIST CSF 2.0 consists of a number of building blocks which, when used together, allow an organization to put in place a risk-based framework tailored to their specific environment. This section explains briefly what those building blocks are.
Functions provide an overall structure for the framework and group together related categories as shown in the list below. In many respects, it may help to view the first three functions as “proactive”, as they deal with the process of assessing and treating risk ahead of time, and the latter three functions as “reactive”, as they cover the more real-time process of detecting and dealing with cybersecurity incidents.
However, NIST is clear that this is not intended to be a process model, so activities may be taking place within all of the functions at the same time.
The functions are usually color-coded to provide a degree of familiarity when working with the framework.
Categories provide the next level of detail below functions, as shown in the list below. Again, they are not necessarily intended to be done in the order in which they appear but are a way of grouping together the sub-categories below them which give more detail about specific activities that can be done to improve cybersecurity.
Subcategories are where we get into the detail of the outcomes that we are looking to achieve. The table below shows the subcategories for the Organizational Context (GV.OC) category, which is within the Govern (GV) function.
Each subcategory has a reference (for example GV.OC-01) which allows it to be uniquely identified within the framework.
The subcategories are written as statements of fact (for example “The organizational mission is understood…”) and the aim of the organization in implementing the framework is to be able to agree with each relevant statement.
New with CSF 2.0 is the use of implementation examples. These are intended to be illustrative rather than definitive and are used to give a better idea of the kinds of tasks that should be performed to achieve the goal stated in the sub-category. They may not all apply to a particular organization and so should be used as guidelines only. The table below shows some typical implementation examples.
One of the intentions of the CSF is to be able to leverage the content of other standards and it does this through the use of informative references. For each subcategory a list of specific references to other standards is given. References are commonly taken from the following:
Whereas these were listed directly in the main CSF document previously, the intention with 2.0 is to maintain these separately in a tool accessible via the NIST website.
Four levels of rigor are defined within the CSF to judge an organization’s practices within three areas:
The four levels used are:
In effect, the tiers are similar to levels of maturity used in other frameworks, but NIST is keen to point out that not every organization needs to be at Tier 4 for each of the three areas. The additional effort required to reach a higher tier needs to be cost-justified.
Tiers are an optional part of the framework and they are intended to be used at a number of different levels as appropriate, from a high level aspiration of “becoming a Tier 3 organization” to a more specific goal of “improving the Cybersecurity Supply Chain Risk Management category from Tier 2 to Tier 3”.
Within the context of the CSF, a profile is a description of parts of the framework that are either in place already (a current profile) or that the organization aspires to meet (a target profile). In common terms this comparison between current state and desired state is often called a gap assessment, although this is not a term used by NIST. There is no standard way to create a profile, and it may be done at a number of different levels; for example at the highest level by function and at the lowest by subcategory. A further level of granularity can be introduced by the use of tiers (as described above).
The key output of the use of profiles is an action plan to move the organization’s cybersecurity from where it is now to where it is desired to be.