NIST Cybersecurity Framework 2.0: An Overview

Published by Dustin Perkins, CISSP, CISM – Senior Governance, Risk and Compliance Consultant, US on 2 September 2024

To mark its 10th anniversary, the National Institute of Standards and Technology (NIST) has unveiled the latest iteration of its cybersecurity framework, rebranded as NIST Cybersecurity Framework (CSF) 2.0. It represents a significant overhaul, enhancing and improving the maturity of an already well established and widely adopted cyber risk management framework. The NIST CSF is a set of cybersecurity principals and best practices developed by the National Institute of Standards and Technology (NIST). It provides companies with a framework to make it easier to understand cyber risks and improve their defences.

One of the most pronounced changes to the NIST CSF in this new 2.0 iteration is the inclusion of the Govern (GV) function. This brings the total number of core functions to six. The GV function is a consolidation of controls from NIST CSF 1.1 into its own category, making the standard easier to navigate. This further allows non-technical stakeholders to better understand the place of governance duties in relation to cybersecurity risk management tasks.

Figure 1: NIST CSF 1.1 and CSF 2.0 Functions

The next notable change to the NIST Cybersecurity Framework is the emphasis on Supply Chain Risk Management. This is nested within the new GV function, which gives it immediate visibility to C-suite stakeholders. Considering the threat to supply chains over the past two years, this is a welcome change. In 2023, the average cost of a data breach had reached a record high of $4.45 million USD, according to the 2023 “Cost of a Data Breach Report” by IBM and the Ponemon Institute. This is up 2% from 2022.

Figure 2: Source: IBM Cost of a Data Breach Report 2023

Finally, the NIST CSF 2.0 has increased emphasis on the Respond and Recovery functions by expanding the included controls and highlighting important potential concerns in the cybersecurity field. The Respond function now maps to cyber incident response outcomes that are impactful and not just addressed at a cursory level.

Figure 3: Response category in NIST CSF 2.0

This is a welcome change from the NIST CSF 1.1 that broke down the same function into ambiguous controls, such as Response Planning, Mitigation, and Improvements; the latter of which is duplicated in the Recover control. As Figure 3 illuminates, we can see a definitive difference between the controls of the Respond and Recover functions.

Conclusion

With these new changes, NIST CSF 2.0 has broadened its scope to help all organisations in any sector and of any size. In addition, NIST is making new tools and resources available to help organisations meet their goals. The GV function highlights the importance of having non-technical stakeholders fully invested and engaged in the cybersecurity process and facilitates this taking place. As threats to Supply Chain Risk Management have been demonstrated as a trend that’s here to stay, it’s good to see the newest iteration of NIST CSF addressing this issue right at the forefront. The retooling of the Respond and Recovery functions also brings much needed clarity to that area of the framework, allowing for more easily attainable compliance.