NIST Cybersecurity Framework 2.0: Key changes to CSF

Since it was introduced in 2014, the NIST Cybersecurity Framework (CSF) has played a critical role in the way organizations have approached cybersecurity. The original framework identified standards, guidelines and best practices under five functions: Identify, Protect, Detect, Respond and Recover.

The evolving threat landscape has facilitated the need to update and revise the original NIST framework (CSF 1.0). Whereas the original framework focused on critical infrastructure and institutions, such as the power grid and medical facilities, the NIST Cybersecurity Framework (CSF 2.0), which went live in February 2024, has a broader scope.

It is now designed to provide security guidance for all organizations, regardless of their size and scope. (This difference is reflected in the change of the CSF’s official title, as it was originally known as the Framework for Improving Critical Infrastructure Cybersecurity.) One of the biggest changes to CSF is the addition of a sixth function — Govern — which covers how an organization can make and execute its internal decisions to support a cybersecurity strategy and emphasizes that cybersecurity is a major source of enterprise risk.

Beyond the addition of the Govern function, one of the most major changes in CSF 2.0 involves the Recover function.

In CSF 1.0, the purpose of the Recover function was to “develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.”

In CSF 2.0, the Recover function description has been simplified: “Restore assets and operations that were impacted by a cybersecurity incident.” This includes creating an incident recovery plan and incident recovery communications that are coordinated between external and internal parties.

More specifically, key changes to the Recover function include:

·       Places greater emphasis on the importance of incident response, with guidance on how to best manage incidents promptly, efficiently and effectively through forensics, analysis and containment strategies.

·       Recommends developing more robust recovery plans that address not only the technical aspects of a cyber incident but also business continuity and communication.

·       Emphasizes the importance of learning from past incidents, including conducting post-incident reviews to identify lessons learned and where security teams can improve. The goal is to improve the organization’s resilience and adaptability for future incidents.

·       Adds a new category to the Recover function— resilience of technology infrastructure — which encourages organizations to design their systems to better withstand incidents and disruptions with quicker recovery times.

As the threat landscape continues to change and new regulations are added, many organizations will struggle to keep up with cybersecurity. The CSF was updated, in part, to address emerging cyber risks and provide a baseline of the security measures organizations should implement. The framework allows organizations of all sizes to create a security program that fits its unique needs and challenges.

The original CSF allowed for profiles, which NIST defines as “representation of the outcomes that a particular system or organization has selected from the Framework Categories and Subcategories.” There were target profiles, which is the desired outcome of the security program and a current profile, which is what the security program is right now.  

CSF 2.0 revamped profiles to add organizational and community profiles. In the past, profiles were used by communities to allow them to share their security goals and outcomes to improve risk management processes within very specific parameters. Now, organizations can create Community Profile Lifecycles that cover planning, developing, using and maintaining, and share their insights or gain perspectives based on their specific use cases or industry by joining a Community of Interest. Importantly, CSF 2.0 makes cybersecurity a shared endeavor that will be especially useful to small businesses that otherwise lacks strong security guidance. NIST offers a template to assist organizations in building their profile.

Whereas CSF 1.0 had very specific parameters for those organizations working with critical infrastructure, CSF 2.0 covers every type and size of business. It offers more precise language and resources, making it easier for even those users with minimal security knowledge to follow. Most importantly, it prioritizes risk management practices. One of the hurdles for many security teams is to get leadership to understand how cyber risk fits into overall business risk strategies. CSF 2.0 offers guidelines on outlining organizational risk tolerance and prioritizing risk for budgeting and resource allocation.

The NIST CSF 2.0 is free for anyone to reference, but implementing the recommendations can come at a cost. Many small businesses don’t have internal expertise to run security programs or the budget to hire a cybersecurity professional. Turning to an MSP or MSSP can be beneficial for an SMB to help them implement the framework.

MSPs also benefit from following CSF 2.0. One of the goals of the framework is to share information and make cybersecurity more inclusive. MSPs can take advantage of the information gained through community profiles and by the recommended processes to bring a more holistic approach to risk management to all their clients. Showing that they are adhering to framework guidelines adds credibility to an MSP and enhances their services to clients.

When CSF 1.0 was introduced a decade ago, it was a first step in changing the way organizations think about cybersecurity, but it was geared toward a very specific audience. Cybersecurity is more expansive and more evasive, with every type of industry at risk of a cyberattack that could shut down business operations for an untold period. With the release of CSF 2.0, more effective cybersecurity guidance targeting today’s threat landscape is now available for every organization.