Landmark cybersecurity guidance from NIST offers outstanding enhancements with release of v2.0 on February 26, 2024
The National Institute of Standards and Technology (NIST) released version 2.0 of its widely adopted cybersecurity framework (CSF) on February 26, 2024. This marks the first significant update since the framework was introduced a decade ago, in 2014. The digital landscape has evolved tremendously over time, and v2.0 addresses that evolution very effectively.
Popular Cybersecurity Framework Takes a Giant Leap Forward
In the cybersecurity and information technology environment, the NIST CSF is highly respected as one of the leading cybersecurity and risk management frameworks for all types of organizations. For ten years, the NIST Cybersecurity Framework has guided information security and technology professionals in developing their organizations’ cybersecurity and risk management programs, and 24By7Security Inc. has been right there to assist those efforts. Implementing the NIST CSF is widely viewed as a reliable and effective way to either launch a new information security program or to update and upgrade an established program.
“CSF 2.0, which builds on previous versions, is not just about one document,” said NIST Director, Laurie E. Locascio, who also serves as Under Secretary of Commerce for Standards and Technology. “It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve.”
The newly updated cybersecurity framework, in development since 2022, now features quick-start guides customized for specific audiences including SMBs, enterprise risk managers, and organizations seeking to secure their supply chains. Case studies of successful implementations at other organizations are readily available, along with a searchable catalog of informative references that allows users to link the framework’s guidance to more than fifty other cybersecurity documents.
With this giant leap forward, the highly popular NIST Cybersecurity Framework is better than ever. For organizations searching for a credible, proven security framework on which to build their cybersecurity programs, the NIST CSF is an excellent choice.
Spotlight on Three Major Enhancements in NIST CSF 2.0
In a press release on February 26, 2024, NIST spotlighted several important advances in the CSF v2.0 over previous versions.
- The NIST cybersecurity framework is now explicitly designed to help all organizations manage and reduce their security risks. Although its original audience consisted of organizations in the critical infrastructure sector of the U.S., it became clear that a larger and broader audience required access to a reliable, effective security framework.
- In addition to updating the framework’s core guidance, v2.0 now offers a suite of resources to better assist all organizations in achieving their cybersecurity goals.
- Among core guidance updates, v2.0 brings additional emphasis to organizational governance as well as to supply chains, which increasingly have been subject to cyberattacks in recent years.
NIST noted that its newest and most significant release to date “is the outcome of a multiyear process of discussions and public comments aimed at making the framework more effective.” This collaborative approach took advantage of extensive and varied user experiences and diverse perspectives to develop an improved and enhanced framework for all.
What Else is New in CSF 2.0
Expanded, Inclusive Audience. Among other notable innovations, the NIST Cybersecurity Framework 2.0 is designed for all audiences, industries, and types and sizes of organizations. Its scope ranges from the smallest schools and nonprofits to the largest agencies and corporations—regardless of their degree of cybersecurity sophistication. The new CSF 2.0 and its supplemental resources provide a wide variety of audiences with tailored pathways into the framework, making implementation easier.
Small Business Program. As one example, NIST CSF 2.0 offers a Quick Start Guide for small-to-medium sized businesses (SMBs) who have modest cybersecurity programs or who have no cybersecurity plans in place. The guide explains how to kick-start their cybersecurity risk management strategy by using the 2.0 framework. The guide also assists other smaller organizations, such as non-profits, government agencies, and schools. Guides are available by industry sector and by a variety of topics on the NIST website.
Enterprise Risk Management Program. In another example, the new Enterprise Risk Management Guide describes the use of v2.0 in an enterprise-wide process for integrating cybersecurity risk management information into the enterprise risk management program (ERM). Spanning risk considerations such as mission, financial, reputation, and technical risks, ERM seeks to understand the core risks of an enterprise, determine how best to address those risks, and ensure that those actions are taken. CSF 2.0 supports six activity points for informing, implementing, and monitoring an ERM program.
New Governance Function. A surprising innovation in v2.0 is the addition of a Governance function to the original five core pillars of the CSF. The updated CSF now organizes cybersecurity outcomes into six high-level functions, specifically Govern, Identify, Protect, Detect, Respond, and Recover. The governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider along with others such as finance and reputation, according to the press release.
When considered together, these six functions provide an updated and comprehensive strategy for managing cybersecurity risk in all organizations.
Robust New Resources. A new CSF 2.0 Reference Tool now simplifies the way organizations can implement the CSF by enabling users to browse, search, and export data and details from the framework’s core guidance in both human and machine-readable formats. CSF 2.0 also enables users to see how their current actions map to the framework. Additionally, the Cybersecurity and Privacy Reference Tool (CPRT) provides an interrelated, browsable, and downloadable set of NIST guidance documents that contextualize NIST resources with other popular resources.
Widespread Adoption of NIST CSF Since 2014
Since its first release in 2014, the NIST Cybersecurity Framework has been adopted voluntarily by thousands of organizations in the U.S. and internationally and has been downloaded more than 1.7 million times. Versions 1.0 and 1.1 have been translated into thirteen languages, and NIST expects that version 2.0 will be translated similarly by volunteers around the world. NIST will incorporate those translations into its expanding portfolio of CSF resources.
In addition, NIST’s collaboration with the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) shares numerous cybersecurity resources that have enabled ISO/IEC audiences to build cybersecurity frameworks and organize controls using the CSF functions. NIST and the ISO/IEC continue to work together to maintain this important international alignment.
By voluntarily adopting the NIST Cybersecurity Framework, organizations of all sizes and types can better understand, manage, and reduce their cybersecurity risks, protect their networks, and safeguard their data.
Summary
Since NIST CSF 1.0 was first introduced in February 2014, the cybersecurity framework has been widely adopted throughout the U.S. and beyond. Ten years later, in February 2024, NIST CSF 2.0 was launched to great expectations throughout the cybersecurity world. The significant additions and enhancements to the framework have not disappointed current stakeholders or prospective users. Expanded audiences, improved resources, and up to the minute cybersecurity guidance are certain to accelerate adoption in 2024 and beyond.
The new framework and additional resources are available on the NIST website. Expert assistance in planning and executing adoption throughout your organization is available from the experienced cybersecurity team at 24By7Security.
