What’s new in NIST CSF 2.0 and how can CCM help you implement it?

Updates to NIST’s Cybersecurity Framework will put even greater focus on governance in 2024.

Next year marks the 10th year of the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and its birthday gift to the world looks set to be a version 2.0 – the most significant overhaul to date.

In this post we examine what’s new in NIST CSF 2.0, how the proposed changes affect your implementation of the framework, and how Continuous Controls Monitoring (CCM) solutions can help you meet its new governance requirements.

What is NIST CSF 2.0?

NIST CSF 2.0 is the latest manifestation of the NIST Cybersecurity Framework, replacing version 1.1 which was published back in 2018.

Originally developed as a framework for critical infrastructure like utilities and the banking system (and with adoption mandatory for all US federal agencies), the CSF has since been voluntarily adopted by private enterprises in all business sectors all over the world. It has also influenced other global standards, including the UK’s National Cybersecurity Centre’s Cyber Assessment Framework (NCSC CAF).

Developed throughout 2023 in collaboration with the cybersecurity community, 2.0 is due to complete its final consultation phase by November with a view to being ratified in early 2024.

What’s changed in NIST CSF 2.0?

New “Govern” Function

The biggest change with CSF 2.0 is the expansion in scope from its five main Functions – Identify, Protect, Detect, Respond and Recover – to incorporate a sixth cross-cutting Function: Govern. This additional Function is positioned universally rather than sequentially, covering how organizations can formulate and carry out internal decisions to support their cybersecurity strategy and the implementation of the CSF in practice.

According to NIST, the new Govern Function “emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial and other risks as considerations for senior leadership.”

The wording of CSF 2.0 says the purpose of Govern is to “establish and monitor the organization’s cybersecurity risk management strategy, expectations, and policy.”

Expanded implementation guidance

CSF 2.0 has been updated to include considerably more practical support to organizations trying to implement it. These center around improved guidance for creating “Profiles” (documents describing how to apply the CSF in the context of specific sectors and use cases), and a complete set of “Implementation Examples” that map against all categories and subcategories relevant to each CSF Function.

These measures make the CSF more accessible to organizations, particularly smaller private sector businesses, who may have struggled with more abstract guidance previously. This aligns with how the adoption of the CSF has grown beyond US federal agencies and operators of critical infrastructure to encompass all sectors.

Understanding the new “Govern” function in NIST CSF 2.0

“Govern” has been introduced as an over-arching Function that informs implementation of the other five Functions (Identify, Protect, Detect, Respond and Recover).

The categories listed under the new Govern (GV) Function are:

• Organizational Context (GV.OC)
• Risk Management Strategy (GV.RM)
• Cybersecurity Supply Chain Risk Management (GV.SC)
• Roles, Responsibilities and Authorities (GV.RR)
• Policies, Processes and Procedures (GV.PO)
• Oversight (GV.OV)

Previously, risk management was dealt with under the “Identify” Function; now in CSF 2.0 it comes firmly under “Govern” with a dedicated category of directives (subcategories). This change enables organizations to use the CSF as an approach for risk management strategy, including supply chain risk. It also addresses who should oversee security controls – their roles and responsibilities – and what policies and processes govern those controls.

The inclusion of the Govern Function acknowledges the importance of governance in cybersecurity, and aligns the CSF with how cybersecurity activities are increasingly managed alongside enterprise risks and legal requirements. It also brings greater organizational context and introduces the concept of individual responsibility for the first time. This chimes with the growing trend in new regulatory mandates – such as the SEC’s rules on cybersecurity disclosure – for making board members personally accountable for ICT risk.

Enhanced guidance for NIST CSF 2.0 implementations

The CSF has always acted as a scaffold onto which individual businesses can design their cybersecurity strategies. However, many organizations have found the framework difficult to apply because guidance, understandably, has had to be abstract.

CSF 2.0 addresses these shortcomings with enhanced guidance defining the steps organizations can take to achieve an outcome, in the context of their sector and other specifics.

Profiles

Guidance for the creation and use of Framework Profiles has been significantly enhanced in CSF 2.0. Each Profile enables organizations to “establish a roadmap for reducing cybersecurity risk that is well aligned with organizational and sector goals, considers legal/regulatory requirements and industry best practices, and reflects risk management priorities.”

Most of the published examples relate to critical infrastructure (e.g. EV charging stations, voting machines, satellite networks, liquefied natural gas, etc.) though the guidance is intended to encourage innovation in all other sectors.

Implementation Examples

Implementation Examples add a further layer of supplementary detail to each category and subcategory of CSF Functions.

To illustrate this, let’s take the Oversight (GV.OV) category of the Govern Function and examine the Implementation Examples stemming from one of its subcategory directives:

• GV.OV-02: The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks.
• Ex(Example)1: Review audit findings to confirm whether the existing cybersecurity strategy has ensured compliance with internal and external requirements.
• Ex2: Review the performance oversight of those in cybersecurity-related roles to determine whether policy changes are necessary.
• Ex3: Review strategy in light of cybersecurity incidents.

There are literally hundreds of such Implementation Examples, each equipping organizations with practical, action-oriented guidance specific to each component of the CSF.

When is the NIST CSF 2.0 release date?

No definitive release date is available for the final NIST CSF 2.0, though NIST anticipates this will be “in early 2024.”

Following a preliminary draft release in April 2023, the first draft version of NIST CSF 2.0 was published August 8, 2023 for public comment, along with supporting materials. The final consultation period is due to conclude on November 4, 2023. This will inform the development of the final CSF 2.0.

NIST is running a live timeline of key dates for the release of CSF 2.0, available here.

How can you give feedback on NIST CSF 2.0?

Feedback on the CSF 2.0 Public Draft and related documentation can be submitted to cyberframework@nist.gov by November 4, 2023.

After this date, NIST will continue to engage stakeholders via its community outreach activities, by soliciting direct feedback through RFIs, RFCs and inquiries to its email address (above), and by monitoring relevant resources and references, to inform future development of and updates to the CSF.

How CCM can help with NIST CSF 2.0 changes

The introduction of a cross-cutting governance layer across the entire scope of NIST’s Cybersecurity Framework (CSF) is a clear signal that organizations need to up their game in monitoring and controlling security policies, and focus on cyber risk management in the context of the whole business – understanding, evidencing and taking action to improve security posture, not just responding to events.

The updated CSF 2.0 is just part of a multi-faceted regulatory and compliance picture where everything is pointing toward an urgent need for more and better governance.

Continuous Controls Monitoring (CCM) improves governance by enhancing accountability across the enterprise. Combining data from across security, IT and business tools, CCM provides an accurate and complete view of all assets and the status of security controls.

Using CCM to break down barriers and simplify the governance process gives all stakeholders a single source of truth to work from. No more conflicting opinions and perspectives. No more inertia arising from data distrust. CCM provides trusted data ensuring all parts of the organization have a true picture of security posture – enabling faster remediation.

This is further enriched with unique business context to give a comprehensive and transparent understanding of accountability, automatically identifying asset and process owners and who’s responsible for fixing what.

Panaseer’s CCM platform enables you to to codify your unique risk tolerance so you can then measure and report against adherence to policies, procedures and remediation SLAs. This ensures you can see where you’re failing to meet internal targets, and make improvements accordingly.

Why not take a closer look at how CCM delivers the governance requirements of NIST CSF 2.0 by arranging a demo or speaking with a Panaseer expert.