In a much-anticipated development, the National Institute of Standards and Technology (NIST) has recently launched a new version (2.0) of its widely used Cybersecurity Framework (CSF). The latest version – the first major update since the framework was released a decade ago – supersedes version 1.1, which was primarily aimed at critical infrastructure organizations.
NIST CSF 2.0 is designed for all audiences, industry sectors, and organization types, from the smallest schools and nonprofits to the largest agencies and corporations — regardless of their degree of cyber security sophistication.
What are the key improvements of NIST CSF 2.0?
The NIST framework has undergone significant enhancements in its latest version. These changes provide security and business leaders with valuable tools to enhance their organization’s security posture.
The new structure of NIST CSF v2.0 from v1.1:
Here are the 6 main updates to be aware of:
1) Introduction of the “Govern” function:
In addition to the existing five functions (Identify, Protect, Detect, Respond, and Recover), NIST CSF 2.0 introduces a new function called “Govern.” The inclusion of this function underscores the critical role of cybersecurity governance in driving organizational security maturity.
2) Improved framework structure:
The new version features a more logically organized structure, minimizing duplication and overlap. Grouping categories and subcategories in this way enhances clarity and ease of implementation.
3) Focus on continuous improvement:
The updated framework places a stronger focus on continuous improvement. Organizations are encouraged to evolve their security practices proactively.
4) Cyber security supply chain risk management:
With the widespread adoption of cloud services across organizations, NIST CSF 2.0 emphasizes supply chain risk management. Addressing risks related to third-party vendors and service providers is crucial.
5) Practical implementation support:
NIST CSF 2.0 provides numerous implementation examples and quick-start guides. These resources assist organizations in effectively adopting and applying the framework.
6) Updated informative references:
While informative references existed in version 1.1, NIST CSF 2.0 revises them to include important, up-to-date publications and frameworks. For instance, the NIST Secure Software Development Framework is now referenced.
Overall, NIST CSF 2.0 equips security and business leaders with a more robust framework that aligns with today’s cyber security challenges.
Why should organizations adopt NIST CSF 2.0?
NIST CSF was widely used in its previous version, even though it was initially developed with critical infrastructure organizations in mind. More than 70% of the cyber security maturity assessments NCC Group delivers to its clients are based on NIST CSF. With the expanded scope of the new version to organizations of all sizes and sectors, we expect an even wider adoption of NIST CSF 2.0 as the preferred cyber security framework.
The shifting emphasis toward governance is reflected by the global challenge of increasing cyber regulation across standards and legislation, as highlighted in the UK and US respective National Cyber Strategies, Digital Operational Resilience Act (DORA), Network and Information Systems 2 (NIS2), and the Security and Exchanges Committee (SEC) Cybersecurity Requirements.
With boards increasingly getting challenged on cyber compliance, governance must be discussed and backed at the highest business level. NIST CSF 2.0 encourages senior leaders to integrate cyber security further into their strategic decision-making processes alongside other critical enterprise risks.
When should you transition to the latest version? And how?
If your organization is already aligned with NIST CSF 1.1, you should consider transitioning to version 2.0 – as soon as possible. Doing so will ensure alignment with current best practices and enable meaningful benchmarking. NCC Group has experienced and accredited consultants who can support you in that transition in several ways, including:
- Workshops to explain the changes in detail.
- Guidance to help you address existing gaps in advance of your first maturity assessment against the new version.
- “Transition” assessments, where the maturity is assessed and compared using both versions.
In summary, NIST CSF 2.0 isn’t just an update; it’s a huge leap forward. Organizations that embrace it will enhance their strategic security and resilience in an ever-evolving regulatory and threat landscape.
About the authors
Alvaro Rosa and Darren Speirs are Principal Security Consultants in NCC Group’s Consulting & Implementation division. They are co-responsible for the Cyber Security Review service line and have delivered cyber security assessments based on NIST CSF (and other frameworks) to clients across a variety of sectors and regions.
Reduce cyber security risk with NIST CSF 2.0
Learn more about our capabilities and reach out to our team if you are seeking support in adopting CSF 2.0 or transitioning from CSF 1.1.