Since 2022, the National Institute of Standards and Technology (NIST) has been working on major updates to its Cybersecurity Framework (CSF), a set of guidelines and best practices for cybersecurity which enjoys wide adoption among federal organizations and private businesses of every size.
Now that update has finally arrived in the form of a draft issued on August 8th, 2023, and not a moment too soon. With five years elapsing since CSF 1.1 was released in 2018, experts agree that the framework is long overdue for an update reflecting changes in the global threat landscape, and the evolving needs of organizations in both the public and private sector.
To that end, the CSF 2.0 draft largely conforms to proposals outlined by NIST in a concept paper earlier this year. Among other things, it adopts a broader focus extending the scope of CSF beyond its original audience of critical infrastructure operators. It also incorporates a new security function, extended guidance for supply chain security, and more.
In this article we’ll explain how NIST CSF works, how things are changing with CSF 2.0, and why your business should become CSF 2.0 compliant.
What is NIST CSF?
The earliest version of NIST CSF (1.0) was released in 2014, with the now largely forgotten title ‘Framework for Improving Critical Infrastructure Cybersecurity’. But despite its critical infrastructure focus, the framework outlined by CSF is conceptually simple, with wide application to a variety of organizations.
NIST CSF is comprised of three high-level components, a fact which has not changed with the release of CSF 2.0:
- Core functions – CSF core functions correspond to basic cybersecurity practices and outcomes. The basic functions – “Identify”, “Protect”, “Detect”, “Respond”, and “Recover” – are further broken down into categories and subcategories.
- Implementation tiers – CSF tiers objectively measure how closely an organization’s existing cybersecurity program conforms with the practices described by the core framework.
- Framework profiles – CSF profiles help organizations to align their organizational requirements, objectives, risk tolerance and resource against desired outcomes of the framework.
Unlike other NIST standards – such as 800-171 and 800-53 – NIST CSF does not describe regulations imposed by federal agencies by their partners and contractors. In most cases, CSF compliance is not mandatory, but voluntarily adopted. Even so, the general nature of its guidance has made it a leading cybersecurity standard in both the U.S. and abroad.
Big Changes in CSF 2.0
While many changes in CSF 2.0 have been anticipated since January 2023, the draft document fleshes out details of their implementation, including the announcement of forthcoming tools and resources which will aid organizations towards CSF 2.0 compliance.
1. A Broader Scope
In CSF 2.0, NIST is embracing the reality of CSF adoption, expanding its scope from a standard focused on cybersecurity for critical infrastructure to one with much broader application. This is reflected both by a change of title – from ‘Framework for Improving Critical Infrastructure’ to ‘The Cybersecurity Framework’ – and in language changes throughout the document.
More importantly, CSF 2.0 provides increased guidance to help organizations adapt the framework to their unique mission needs, and examples to illustrate the purpose of profiles. As Microsoft argued in feedback to the CSF 2.0 concept paper, profiles are an underutilized aspect of CSF which will hopefully see wider adoption going forward.
2. The ‘Govern’ Function
While none of the core functions in the CSF have been removed, one has been added. ‘Govern’ is a special function that intersects the original five, emphasizing cybersecurity as a source of enterprise risk, and providing guidance for how an organization can make internal decisions that support cybersecurity strategy.
NIST illustrates the overlap between ‘Govern’ and other CSF core functions with an updated graphic depicting ‘Govern’ as a circle on which the other functions are supported.
3. Focus on Supply Chain Security
In recent years, the rise of software supply chain incidents – including the SolarWinds attack and Log4j zero day – have made supply chain security a central concern for federal agencies. It is a major focus of 2021’s ‘Executive Order on Improving the Nation’s Cybersecurity’, for instance.
It is no surprise then that CSF 2.0 emphasizes supply chain risk management practices under the ‘Govern’ function, drawing on other resources, such as NIST special publication (SP) 800-161r1, ‘Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations’. It also directs readers to use the CSF itself as a standard for vetting suppliers and choosing secure partners.
4. Better Guidance
While the general nature of CSF guidance has contributed to its success as a cybersecurity standard, some have felt that guidance is too general at times, making it difficult for some organizations to apply. Fortunately, in addition to providing increased CSF profile guidance, CSF 2.0 also includes specific examples of security processes that help achieve core functions.
This guidance has evidently been written with small to medium businesses (SMBs) in mind, as the summary of changes states: “the draft now includes implementation examples for each function’s subcategories to help organizations, especially smaller firms, to use the framework effectively”.
5. Incorporating Other NIST Resources
Since the release of CSF 1.1, NIST has been hard at work drafting new standards that supplement the framework well. In CSF 2.0, readers are directed to many of those standards – including the NIST Privacy Framework and Secure Software Development Framework among others – for further guidance.
Furthermore, in the coming weeks, NIST will release a CSF 2.0 reference tool which will help organizations to better understand the relationship between CSF 2.0 and other NIST standards included in its Informative References.
CSF 2.0 is a Stepping Stone to Compliance
With NIST stating that it does not intend to release further drafts of CSF 2.0 before the framework is finalized in 2024, it is safe to assume that there will not be any major changes between the draft and the final version.
Although it will not be a requirement for most federal contractors, CSF 2.0 will help businesses to form a solid cybersecurity foundation essential for compliance with NIST 800-171, 800-53 and CMMC while clarifying the risks that matter most to their business, and their ideal security position. Following NIST guidelines can also help businesses to prepare for future regulations, as state and federal governments use NIST standards to shape cybersecurity laws and guidance.
Securicon helps your business to comply with cybersecurity standards like NIST CSF 2.0 through tailored program and risk assessments. With a team comprised of veterans from the U.S. security community – including DoD, DHS, and the U.S. Cyber Commands – we are equipped to provide organizations with gap analysis, compliance consulting, assessment support, and audit preparation. To learn more, contact us today.