NIST released its Cybersecurity Framework 2.0 (CFS 2.0) on Monday, introducing a new core structure, resource catalog and overall scope of application to the already widely used resource.
The highly anticipated final version of CFS 2.0 draws from years of collaboration and feedback across industry, academia and government agencies both in the United States and around the world, according to NIST, and includes changes that aim to address continuously evolving cybersecurity risks, needs and technologies.
The document and its accompanying resources were also informed by public comments submitted for a draft version of the framework that was published in August.
“The NIST Cybersecurity Framework is considered by many to be the grandfather of frameworks defining what must exist in a cybersecurity program,” Ken Dunham, cyber threat director at Qualys’ Threat Research Unit, said in an email to SC Media. “Significant technology changes have occurred since the inception of the framework, in addition to a need for improvements in clarity, alignment, and implementation towards consistent use.”
Here are three key takeaways from NIST’s CFS 2.0 and the changes it makes toward these improvements:
1. CFS 2.0 serves a wider audience, without taking a "one-size-fits-all" approach
NIST’s Cybersecurity Framework, originally titled “Framework for Improving Critical Infrastructure” was first published in 2014. A decade later, the 2.0 version has been adapted to apply to any sector, not just critical infrastructure, and encompasses a range of organizations varying in size and cybersecurity program maturity.
When the draft version of CFS 2.0 was published, lead framework developer Cherilyn Pascoe noted that some of today’s greatest cyber threats — such as supply chain attacks and ransomware — affect organizations both large and small, and across many industries.
“We want to make sure that it is a tool that’s useful to all sectors, not just those designated as critical,” Pascoe said in a statement.
At the same time, the framework maintains a level of flexibility that allows it to be adapted to an organization’s specific needs, avoiding a “one-size-fits-all” approach.
“Each organization has both common and unique risks, as well as varying risk appetites and tolerances, specific missions, and objectives to achieve those missions. By necessity, the way organizations implement the CSF will vary,” the document’s preface states.
Toward this end, CFS 2.0 also comes with two new resources: Community Profiles and a Small Business Quick-Start Guide. Community Profiles are tailored toward specific sectors, technologies, threat types or other shared contexts, each establishing a common baseline of outcomes to help develop CFS-informed cybersecurity risk management programs. Organizations can use Community Profiles that best apply to their own situation as a basis to build their own Organizational Target Profile under the framework, rather than starting from scratch or with a more generalized template.
The Small Business Quick-Start Guide offers specific assistance for small-to-medium sized businesses to initiate implementation of CFS 2.0, with specific guidance for each of the six key functions included in the CFS 2.0 Core: Govern, Identify, Protect, Detect, Respond and Recover.
2. New governance focus ties cybersecurity into broader organizational decision-making
One of the biggest changes to NIST’s Cybersecurity Framework in version 2.0 is the addition of the “Govern” function to the original five pillars listed above. NIST conceptualizes the “Govern” function as being central to the rest of the pillars, symbolizing its holistic connection to all other CFS functions.
This addition serves several purposes: it aims to integrate cybersecurity with broader enterprise risk management (ERM), roles and responsibilities, policy, and oversight at an organization, as well as better support communication of cybersecurity risk to executives.
“The addition of Govern as a basic function of the Cybersecurity Framework addresses a big piece that was previously missing,” Richard Aviles, senior solution architect for DoControl, told SC Media. “The need for well informed and correctly communicated policies is well understood, so its addition to the NIST 2.0 CFS helps create a more complete structure around which organizations can build.”
Additionally, the “Govern” function better establishes cybersecurity supply chain risk management as a central component of the CFS Core. Aviles noted the new CFS guidance on supply chain risk management is “well thought out and comprehensive, if not complete.”
The significant financial and reputational costs of major ransomware and supply chain breaches over the last few years, combined with increasing regulatory pressures, demonstrates the need for organizations to incorporate cybersecurity into their broader risk management strategy.
“[CFS 2.0] emphasizes the urgency of addressing cyber risk management seriously and consistently. NIST 2.0 directs organizational management to seamlessly integrate cyber risk management as an integral facet of overall risk management activities,” Lior Bar Lev, vice president of strategy at CYE, told SC Media.
3. Wealth of new resources eases implementation and continuous use of CFS 2.0
NIST aims to streamline adoption of CSF 2.0 with a series of tools and resources accompanying its release, including the new Quick Start Guides and a repository of online resources that will continue to expand and receive updates following the framework’s publication, according to NIST.
NIST Director Laurie E. Locascio said in a statement that CFS 2.0 is “not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve.”
In addition to informative references — existing standards, guidelines, frameworks, regulations and other information sources specific to each outcome outlined in the CFS Core — NIST’s catalog of CFS resources also includes implementation examples for each outcome. These examples are not only available as a separate document but are also incorporated into the searchable NIST CFS 2.0 Reference Tool for more streamlined access to detailed information on specific CFS Core components.
The new framework also benefits from the latest guidance published by NIST and other sources on emerging threats and technologies, such as artificial intelligence; for example, CFS 2.0 can be used along with NIST’s AI Risk Management Framework published in January 2023.
As threats and technology continue to evolve, the “CSF portfolio” maintained by NIST can be updated with additional resources, and NIST encourages the submission of recommended resources to its [email protected] email address.
“Ultimately, the decision to adopt NIST CSF 2.0 depends on individual organizational needs and risk profiles. However, understanding the potential benefits and considering the evolving regulatory landscape makes a strong case for proactive engagement with this updated cybersecurity framework,” Ashley Leonard, CEO of Syxsense, told SC Media.