What is NIST Cybersecurity Framework (CSF) 2.0?

The NIST Cybersecurity Framework was originally introduced and released in 2014, which has become a critical tool for helping organizations manage cybersecurity risk. On February 26, 2024, NIST released version 2 of the Cybersecurity Framework (CSF). The new version makes some significant changes, such as moving Governance out of the Identify function and into its own dedicated Govern function.

Overview of NIST CSF 2.0

CSF v2.0 which expands its guidance to be applicable across all types of organizations, not just critical infrastructure. This version emphasizes cybersecurity governance, recognizing it as a core function essential for enterprise-level risk management. It encourages organizations to assess and incorporate cybersecurity within their overall governance frameworks, considering risks and decision-making processes at a strategic level.

CSF 2.0 also includes the new "Govern" function, complementing the traditional functions of Identify, Protect, Detect, Respond, and Recover. This addition strengthens its focus on ensuring that cybersecurity is integrated into the broader business strategies and risk management processes. The updated framework aims to make implementation more accessible, offering resources like quick-start guides, case studies, and an online catalog of cross-references to other relevant cybersecurity standards, making it adaptable to organizations of various cybersecurity maturities and sectors.

This framework serves as a foundational tool to help align cybersecurity efforts across industries and enhance resilience against emerging threats, including those involving supply chain and data privacy risks.

The Core Elements of NIST CSF 2.0

The core elements of NIST CSF 2.0 build on the original framework’s structure, with updates designed to address evolving cybersecurity needs across all sectors. Here are the main components:

1. Five Core Functions: The CSF 2.0 continues to organize cybersecurity activities into five primary functions, now with the addition of a new “Govern” function:
   • Identify: Understand the organization’s assets, data, systems, and resources to effectively manage cybersecurity risks.
   • Protect: Develop safeguards to ensure the delivery of critical services and limit the impact of potential incidents.
   • Detect: Establish timely identification processes for cybersecurity events.
   • Respond: Implement actions for containment and mitigation in the wake of cybersecurity incidents.
   • Recover: Define processes for restoring normal operations after a cybersecurity incident, ensuring resilience and continuity.
   • Govern (New): This function focuses on aligning cybersecurity with organizational governance, including the roles, responsibilities, and policies that link cybersecurity to enterprise risk management.
2. Implementation Tiers: The tiers guide organizations in evaluating their current risk management approach and cybersecurity practices. Tiers range from Partial (Tier 1) to Adaptive (Tier 4), allowing organizations to determine their maturity level and develop a roadmap for improvement.
3. Profiles: CSF 2.0 Profiles are tailored versions of the framework that align an organization’s cybersecurity activities with its unique business objectives and risk tolerance. The profiles help organizations prioritize resources and close gaps by comparing current and target cybersecurity postures.
4. Supply Chain Risk Management (SCRM): CSF 2.0 emphasizes SCRM by including it in the Govern function, addressing the growing risks posed by interconnected networks and vendor vulnerabilities. It provides guidance for managing third-party risks, including partners and suppliers, and encourages a comprehensive approach to securing the supply chain.
5. New Resources and Tools: CSF 2.0 includes various resources, such as a quick-start guide, a searchable reference tool, and an informative reference catalog, which provide users with practical support to implement the framework based on their specific requirements.

CSF 2.0 is designed to be more adaptable and accessible to organizations of all types, with added emphasis on governance and supply chain management.

What’s new in the CSF 2.0 version?

The NIST Cybersecurity Framework (CSF) 2.0 represents a significant update from its earlier versions, expanding its applicability and enhancing its focus on governance and supply chain risk management. Here’s a summary of key updates:

1. Expanded Scope: Originally designed for critical infrastructure, CSF 2.0 now addresses organizations across all sectors and sizes. It provides flexible guidance tailored to various levels of cybersecurity maturity, from small businesses to large enterprises.
2. Governance Emphasis: A new “Govern” function was introduced to underscore the need for cybersecurity to be integrated with broader enterprise risk management. This addition encourages executive oversight and aligns cybersecurity risk with other organizational risks like financial and reputational factors.
3. Supply Chain Risk Management (C-CSRM): Given the rising importance of securing supply chains, CSF 2.0 now includes guidelines to manage supply chain risks, helping organizations protect against vulnerabilities that may arise from their suppliers and partners.
4. Enhanced Resources: NIST has released new tools, such as a CSF 2.0 Quick-Start Guide, a searchable reference tool, and a catalog of resources, aimed at simplifying the framework’s implementation and continuous improvement.

These updates make CSF 2.0 a more comprehensive and accessible tool, adaptable to today’s complex and interconnected cybersecurity landscape, and they emphasize global applicability, aligning it more closely with international standards like ISO 27001.

Let’s see more in details what contain the NIST CSF v2.

What are the Five NIST CSF v2 Core functions?

 The CSF 2.0 continues to organize cybersecurity activities into five primary functions, now with the addition of a new “Govern” function:

• Identify: Understand the organization’s assets, data, systems, and resources to effectively manage cybersecurity risks.
• Protect: Develop safeguards to ensure the delivery of critical services and limit the impact of potential incidents.
• Detect: Establish timely identification processes for cybersecurity events.
• Respond: Implement actions for containment and mitigation in the wake of cybersecurity incidents.
• Recover: Define processes for restoring normal operations after a cybersecurity incident, ensuring resilience and continuity.
• Govern (New): This function focuses on aligning cybersecurity with organizational governance, including the roles, responsibilities, and policies that link cybersecurity to enterprise risk management.
  

CSF Profile

A CSF Organizational Profile describes an organization’s current and/or target cybersecurity posture in terms of the Core’s outcomes.

NIST Cybersecurity Framework (CSF) 2.0 introduces updated “Profiles,” which are key tools for aligning cybersecurity functions, categories, and subcategories with an organization’s specific risk management needs, regulatory requirements, and industry best practices. These Profiles can help identify an organization’s current cybersecurity posture (Current Profile) and establish a desired future state (Target Profile). Comparing these two Profiles assists organizations in recognizing gaps and prioritizing action items to bridge these gaps effectively.

In CSF 2.0, the Profiles concept is expanded with “Community Profiles,” which allow industries or groups with shared cybersecurity interests to adopt CSF principles in a consistent way, addressing risks that may be unique to specific sectors or challenges, like healthcare or manufacturing. By using these Community Profiles, sectors can better manage industry-specific threats and compliance needs, such as protecting critical infrastructure or sensitive data within regulated environments.

The updated Profiles in CSF 2.0 support a more tailored, scalable approach for organizations of all sizes, promoting adaptable, risk-based practices for cybersecurity management. NIST provides templates and guidelines to help organizations create and implement these Profiles effectively, reinforcing alignment with CSF’s core goals of resilience, privacy, and secure information management.

The steps shown in the next and summarized below illustrate one way that an organization could use an Organizational Profile to help inform continuous improvement of its cybersecurity.

CSF Tiers

The NIST Cybersecurity Framework (CSF) 2.0 has four Implementation Tiers that help organizations assess and manage their cybersecurity maturity:

1. Tier 1 - Partial: Organizations at this level have limited awareness and management of cybersecurity risks. Cybersecurity activities may be informal, inconsistent, and reactive, with little alignment to business needs.
2. Tier 2 - Risk Informed: Here, organizations begin to incorporate cybersecurity into broader risk management practices. Cyber risks are considered, but they may not be consistently applied across the organization.
3. Tier 3 - Repeatable: This tier indicates a well-structured cybersecurity program where risk management practices are consistent and repeatable. Cybersecurity policies and processes are well-documented and supported by resources across the organization.
4. Tier 4 - Adaptive: Organizations at this level actively adapt to emerging threats with agile, continuous improvement processes in cybersecurity. They employ advanced threat intelligence, regularly review risks, and align cybersecurity closely with business and operational goals.

These tiers offer a pathway for organizations to scale their cybersecurity efforts from ad-hoc to proactive and integrated risk management practices, enhancing resilience and adaptability in an evolving cyber threat landscape

Fulfill NIST CSF 2.0 Requirements with SSH Communications Security

Supervising an entire OT system in addition to tackling regular day-to-day objectives can be overwhelming, but it doesn’t have to be. SSH Communications Security's (SSH) PrivX OT solution supports convenience without cutting corners by consolidating every component of your IT/OT system into a secure platform for optimal visibility, access, and scalability. Credentials are managed and confidential, workflow approval for jobs is built in and every session is identified with a solid audit trail of activities.

PrivX OT offers models with varying classification levels for managerial teams that require individualized authorized access, to ensure responsible use. Reach out to us today to learn more about how PrivX OT can optimize your OT security to keep both your data and people safe. You can also read more in our Secure Remote Access Management Buyer's Guide for OT.

FAQs

What is NIST Cybersecurity Framework (CSF) 2.0?

The NIST Cybersecurity Framework is a standard helping organizations manage cybersecurity risk. CSF 2.0 is a extended version of the original framework that focused mainly on critical infrastructure, while 2.0 is applicable to all types of organizations.  Why is OT security important?

What are the core elements of NIST CSF 2.0??

1) Identify resources and assets, 2) protect the delivery of services and the impact of potential incidents, 3) detect to identify incidents, 4) respond with containment and 5) recover from incidents. Govern was introduced as a new element for aligning cybersecurity with organization's governance.

What is new in NIST CSF 2.0?

1) Expanded scope beyond critical infrastructures, 2) emphasis on governance for wider alignment of security with enterprise risk management, 3) supply chain risk management and 4) enhances resources developed by NIST.