Regulation

NIST Cybersecurity Framework 2.0

The NIST Cybersecurity Framework (CSF) 2.0 provides guidance for organizations to better understand, assess, prioritize, and communicate their cybersecurity efforts. The framework is voluntary and designed to be applicable to organizations of all sizes across all sectors.
Back to Regulations Official Source

Overview

The NIST Cybersecurity Framework (CSF) 2.0, released in February 2024, represents a significant evolution of the original framework first published in 2014. Version 2.0 expands its applicability beyond critical infrastructure to organizations of all types and sizes, providing a common language for understanding and managing cybersecurity risk across entire enterprises.

The framework is built around six core functions that provide a high-level strategic view of an organization's cybersecurity risk management lifecycle. These functions help organizations prioritize their cybersecurity activities and communicate their efforts to stakeholders.

The Six Core Functions

CSF 2.0 introduces a new 'Govern' function alongside the original five functions, emphasizing the importance of governance in cybersecurity risk management:

Govern (GV)

The Govern function establishes and monitors the organization's cybersecurity risk management strategy, expectations, and policy. This new function emphasizes the importance of understanding organizational context, establishing a cybersecurity strategy, and implementing cybersecurity governance and oversight.

Identify (ID)

Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. Understanding the business context, resources, and related cybersecurity risks enables focus and prioritization.

Protect (PR)

Develop and implement appropriate safeguards to ensure delivery of critical services. The Protect function supports the ability to limit or contain the impact of potential cybersecurity events.

Detect (DE)

Develop and implement appropriate activities to identify the occurrence of cybersecurity events. The Detect function enables timely discovery of cybersecurity events.

Respond (RS)

Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. The Respond function supports the ability to contain the impact of potential cybersecurity incidents.

Recover (RC)

Develop and implement appropriate activities to maintain plans for resilience and restore capabilities or services impaired due to a cybersecurity incident. The Recover function supports timely recovery to normal operations.

Implementation Tiers

The Framework defines four Implementation Tiers that describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the Framework:

Partial

Organizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc manner

Risk-informed

Risk management practices are approved by management but may not be established as organizational policy

Repeatable

Risk management practices are formally approved and expressed as policy

Adaptive

The organization adapts its cybersecurity practices based on lessons learned and predictive indicators

Framework Profiles

A Framework Profile represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a 'Current' Profile (the 'as is' state) with a 'Target' Profile (the 'to be' state).

Key Improvements in Version 2.0

The CSF 2.0 introduces several significant enhancements:

Expanded Scope

Applicable to all organizations and sectors, not just critical infrastructure

New Govern Function

Emphasizes cybersecurity governance as a critical component

Supply Chain Security

Enhanced focus on cybersecurity supply chain risk management

Organizational Profiles

Refined guidance on creating and using profiles

Quick Start Guides

New resources for specific use cases and implementation scenarios

Measurement and Metrics

  • Improved guidance on measuring cybersecurity outcomes

Getting Started

Organizations new to the Framework can begin implementation by following these steps:

  1. Prioritize and Scope: Identify business/mission objectives and high-level organizational priorities

  2. Orient: Identify related systems, assets, regulatory requirements, and overall risk approach

  3. Create a Current Profile: Document current cybersecurity outcomes being achieved

  4. Conduct a Risk Assessment: Analyze operational environment to identify likelihood and impact of cybersecurity events

  5. Create a Target Profile: Establish desired cybersecurity outcomes based on organizational goals and risk tolerance

  6. Determine, Analyze, and Prioritize Gaps: Compare Current and Target Profiles to identify improvement opportunities

  7. Implement Action Plan: Prioritize actions to address gaps and achieve Target Profile outcomes

For detailed implementation guidance, refer to the official Quick Start Guides and sector-specific profiles available on the NIST website.