article

NIST Cybersecurity Framework 2.0

4 min read

A NIST Cybersecurity Framework 2.0 Core discussion draft was released in April 2023 (see ref 1 below) — the latest event on the timeline for updating to NIST Cybersecurity Framework 2.0.

Purpose of the NIST CSF

The  National Institute of Standards and Technology's (NIST) Cybersecurity Framework (CSF) version 2.0 (NIST CSF 2.0 for simplicity) provides guidelines and best practices for organizations to manage and reduce cybersecurity risks. The goal of NIST 2.0 (and previously for versions 1.0 and 1.1) is to protect critical infrastructure, encourage a culture of continuous cybersecurity improvement, and strengthen the security posture of all organizations.  

The CSF builds on existing standards, guidelines, and best practices for organizations to manage and reduce cybersecurity risks. It has played an important role in improving the cybersecurity posture of businesses, healthcare providers, and in government at all levels (Local, Tribal, State, and Federal). It has also seen wide adoption outside the US as a foundational framework on which to build robust cybersecurity defenses.

As the threat landscape has evolved and experience has highlighted potential gaps in the existing CSF, the need for an updated version has become apparent. NIST CSF 2.0 is that update. NIST encourages feedback from all interested parties so that the draft framework gets refined, improved, and evolves in response to a public-private dialogue. See ref 2 for a link to NIST's information on how to participate in the updating process for CSF 2.0.

NIST intends to complete the updating process for CSF 2.0 during the remainder of 2023 and then publish CSF 2.0 in early 2024 (ref 3). The diagram below from the NIST website shows the timeline — it is currently on target with the April 2023 Core draft release last week.

NIST 2.0 Ref 1 — The NIST CSF 2.0 Update Process Timeline

Diagram 1: The NIST CSF 2.0 Update Process Timeline (Source: NIST (ref 3)

Overview of NIST CSF 2.0

The CSF 2.0 Core discussion draft released for review and comments in April 2023 is a significant part of CSF 2.0, but it is not the only document released. A CSF 2.0 Concept Paper was released as a draft in January 2023 (ref 4). Interested parties are encouraged to continue to comment on the Concept paper and now also on the Core discussion draft.

CSF 2.0 Core has 6 Function sections plus 21 categories. These categories get further divided in the CSF 2.0 core paper, but we won't go that deep in this article (see Table 3 in the Core paper at ref 1 for the details). Instead, we'll outline the 6 Core Functions and 21 categories and also encourage you to read the linked NIST information and participate in the comments and feedback process so that we can collectively ensure that the final CSF 2.0 is as good as possible.

NIST CSF 2.0 Core Functions and Categories

Diagram 2 below shows the CSF 2.0 Core functions and categories as described in the draft (ref 1).

NIST 2.0 Ref 2 — NIST CSF 2.0 Functions & Categories

Diagram 2: NIST CSF 2.0 Functions & Categories (source data from ref 1)

Main Changes in CSF 2.0

The updated CSF 2.0 Core discussion paper builds on CSF 1.1. It has both large and small changes reflected in various reordering, merging, and modifications of the cybersecurity outcomes of the framework. CSF 2.0 increases focus on the following areas:

Cybersecurity outcomes applicable to all organizations, removing language specific to critical infrastructure across the Core. This change does not reflect a reduction in the need to protect critical infrastructure. It removes ambiguity about the definition of what is critical and highlights that all systems need a high level of protection.
The prevention of cybersecurity incidents via outcomes focused on Govern, Identify, and Protect Functions and the detection and response of incidents through the Detect, Respond, and Recover Functions.
Cybersecurity governance through a new Govern Function covering organizational context, risk management strategy, policies, procedures, plus roles and responsibilities.
Supply chain cybersecurity risk management outcomes.
Continuous improvement through a new Improvement Category in the Identify Function.
Leveraging the combination of people, processes, and technology to secure assets across all Categories in the Protect Function.
The resilience of technology infrastructure through a new Protect Function Category.
Cybersecurity incident response management, including the importance of incident forensics, through new categories in the Respond and Recover Functions.

See the Core discussion draft paper (ref 1) for more details. You can also chat with your contacts at Critical Insight to get an overview of the changes and guidance on what they mean for your organization. Use the contact form below if you don't have an existing relationship with the Critical Insight team.

Conclusion

The release of the CSF 2.0 Core discussion draft is an important milestone on the path to NIST CSF 2.0. We encourage everyone with a stake in protecting critical infrastructure and assets in public and private organizations to read the draft, formulate your thoughts and respond to the consultation using the channels described in ref 2. The more comprehensive the response, the better the final CSF 2.0 will be.