Regulatory and compliance frameworks are constantly being updated to reflect changes in risk and the evolving threat landscape. Earlier this year, the United States’ National Institute of Standards and Technology (NIST) released a new version of its Cyber Security Framework (CSF), updating the widely used standards with a more governance and risk-based approach.
These changes were made to the decade-old framework to reflect modern security best practices and to keep up with an ever-evolving threat landscape. There’s a new Govern function that emphasizes the importance of governance to manage cybersecurity risk, while elsewhere the framework has been updated to encourage a more holistic approach to security. Although the update is still less than a year old, its security implications are already starting to emerge.
We’ve written previously about the value of NIST CSF assessments and have supported many clients to define and run cybersecurity strategies using NIST CST as a framework. And now, here at Kudelski Security, we’ve been hard at work helping organizations to understand and benefit from the changes to NIST’s cybersecurity framework.
Our assessment services take a look at an organization’s current implementation maturity and compare that to where the client wants to be. We provide detailed strategic recommendations and measurable insights to quantify results, supporting impactful change from operational levels up to the boardroom.
Today I want to highlight some of our key takeaways after more than 6 months of assessing on the new framework.
Contents
- What is the National Institute of Technology’s Cybersecurity Framework?
- When was NIST CSF 2.0 released?
- What’s changed with NIST CSF version 2.0?
- Observations on the new Govern function
- New Subcategories Driving Risk Based Discussions
- Helpful implementation examples that shouldn’t be taken too literally
- Kudelski’ Security’s approach
What is the National Institute of Technology’s Cybersecurity Framework?
NIST’s CSF is a framework that was initially released in 2014 to help financial, energy and healthcare industries better protect their critical assets. The framework, which is organized into functions, categories, and sub-categories, can be used by organizations no matter how mature their security practices are. It’s designed to offer flexible guidance on current cybersecurity best practices for the organizations that choose to draw from it.
The framework has always done a good job of outlining expected outcomes, allowing organizations the freedom to determine how to best achieve the outcome, rather than identifying specific actions. For instance, NIST CSF states that users must be authenticated, without mandating specifics such as password length or complexity. This approach enables organizations to implement security measures that align with their unique needs and evolving technologies.
In the decade since the framework was published the threat landscape has changed considerably. The framework has since evolved to be more flexible allowing for greater adoption across various industries.
When was NIST CSF 2.0 released?
Version 2.0 of NIST’s cybersecurity framework was released in February 2024, making it the first major update to the framework in a decade. It replaces version 1.1 of the framework, an incremental update released in 2018.
What’s changed with NIST CSF version 2.0?
A sixth function, Govern, was added to strengthen the five prior functions (Identify, Protect, Detect, Respond and Recover). This function pulled in categories and subcategories from other functions, added new subcategories and really fortify the focus on top-down governance. NIST created a heavy focus on Risk Management and Supply Chain.
While the total number of categories and subcategories remained nearly the same, they were rearranged, reworded, and enhanced with approximately 20 new subcategories. The revision provides detailed guidance, giving organizations clearer, actionable paths for effective implementation.
Below is a summary of the changes:
- There are now 6 functions, up from 5 in NIST CSF version 1.1.
- There are now 22 categories, down from 23 in NIST CSF version 1.1.
- There are now 106 Subcategories, down from 108 in NIST CSF version 1.1.
Though there were small reductions in numbers at the category and subcategory level with NIST 2.0, the framework now takes a much stronger risk-based approach than before.
Observations on the new Govern function
The new Govern function now encompasses nearly 30% of the framework subcategories with a huge emphasis on risk. This number alone stresses how important NIST feels that governance is for cybersecurity and should signal to organizations that they need to make this a huge priority. The function includes several categories such as organizational context, risk management strategy, roles, responsibilities & authority, policy, oversight and supply chain.
The new supply chain category is of particular importance and makes up over 9% of the total subcategories. This emphasizes the risks supply chains can pose in an interconnected ecosystem. Tying cybersecurity risk management and cybersecurity supply chain risk management into enterprise risk management is a nice touch, and means that business units will need to work cohesively to identify and prioritize risk, as well as communicate effectively to address it.
Below are the two subcategories that highlight the emphasis on risk cohesion in the Govern function:
GV.RM-03: Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes
In essence, GV.RM-03 and GV.SC-03 emphasize how important it is for an organization to incorporate supply chain considerations and cybersecurity risk considerations into their overall risk management approach, rather than treating them in isolation.
Also included in the Govern function is Organizational Context, which stresses the importance of being risk aligned with the company’s mission, goals and objectives. It highlights that cybersecurity should be integrated with the business. The category states the following:
Organizational Context (GV.OC): The circumstances – mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements – surrounding the organization’s cybersecurity risk management decisions are understood.
New Subcategories Driving Risk Based Discussions
Alongside the new Govern function, version 2.0 of the framework has included several new subcategories. In the assessments we have performed to date, the following subcategory has driven a lot of interesting conversations:
PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected.
Clients have discussed with us how this subcategory can be achieved with a mix of non-technical and technical controls. Discussions involved how they encourage usage of screen protectors and specific placement of computers to avoid inappropriate viewing of data in use as it relates to non-technical controls. A topic of discussion has been the cost of implementing technical controls to remove data from memory and if it is worth it for the type of data they own.
Helpful implementation examples that shouldn’t be taken too literally
NIST CSF 2.0 includes implementation examples, which are meant to help organizations think of how to achieve the framework’s overall goals. However, some of the clients we have worked with to date get really caught up in that wording and think they must achieve every example to be a mature organization, and think they must comply with implementation examples to the letter. NIST subcategories are meant to document outcomes but are not meant to be prescriptive in how to get to those outcomes.
Examples were included to show some ways the outcome could be achieved but are not the only ways it can be done. Two clients could have the same maturity level but get there using vastly different approaches depending on what works best for their respective organizations.
Kudelski’ Security’s approach
At Kudelski Security, our approach to NIST CSF 2.0 is to work hand and hand with our clients to explain the changes and how it can benefit them. With experience from numerous assessments, we offer valuable insights to support even the most unique security goals.
We believe it’s important for leadership team and technical staff alike to be involved with the NIST CSF 2.0 assessment process to build a positive feedback loop between them. By interviewing both groups we can establish whether the staff have heard and bought into the risk based top-down approach, as well as whether their outputs have filtered back up to the leadership team. As a part of our engagements, we offer strategic recommendations to help better align the two.
Overall, I really like the changes NIST made with version 2.0. The heavy focus on governance and risk is much needed with today’s threat landscape. The more organizational approach seems appropriate. Although we’ve seen some minor misinterpretation, overall the implementation examples are extremely helpful in starting conversations.
If you’re hoping to enhance your cybersecurity posture with NIST CSF 2.0, get in touch now. We would love to hear from you.
