The Gist of NIST CSF 2.0

The Gist of NIST CSF 2.0 is Simplicity: Easy to Understand Framework, Step by Step Instructions

NIST CSF 2.0 is a maturity model that indicates how well-developed your cybersecurity program is today, and what improvements are required

A recent 24By7Security survey, conducted during the Gist of NIST CSF 2.0 webinar on June 27, 2024, revealed that 25% of IT and cybersecurity professionals were not aware of the new NIST CSF 2.0 requirements, with another 15% not sure. The good news is that 60% of respondents admit having at least a working familiarity with the new Cybersecurity Framework which was released by the National Institute of Standards and Technology (NIST) on February 26, 2024.

V2.0 is the first significant update since the NIST Cybersecurity Framework was introduced a decade ago, in 2014.

Popular Cybersecurity Framework Evolves with the Times

In the cybersecurity and information technology environment, the NIST CSF is highly respected as one of the leading cybersecurity and risk management frameworks for all types of organizations. For ten years, the NIST Cybersecurity Framework has guided information security and technology professionals in developing their organizations’ cybersecurity and risk management programs.

Implementing the NIST CSF is accepted as a reliable and effective way to either launch a new information security program or to update and upgrade an established program. There are actually several reasons why an organization needs this type of cybersecurity framework.

Why You Need a Cybersecurity Framework

There are many advantages to adopting a proven cybersecurity framework within your organization—in addition to avoiding a reinvention of the miracle of the wheel.

• Adhering to the standards of the NIST Cybersecurity Framework provides an organization with a defensible position during regulatory or civil litigation. This benefit was clarified in House Rule 7898, which provides incentives for organizations to voluntarily and proactively adopt recognized security practices (RSPs). It also demonstrates to stakeholders that you take cybersecurity very seriously.
• NIST CSF 2.0 is accepted by cybersecurity insurance agencies and government regulatory agencies. The National Institute of Standards and Technology (NIST) is itself a federal agency within the Dept. of Commerce that works to promote innovation and industrial competitiveness in the U.S. for the national good.
  

• The NIST framework provides a structured approach to cybersecurity risk management, describing exactly how to achieve the level of cybersecurity you require. In doing so, it also enhances operational resilience throughout your organization.
• The NIST framework aligns closely with many other cybersecurity regulatory requirements, including the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), FERPA, CMMC, the European GDPR, and others. NIST CSF has an outstanding record in promoting universal standards for cybersecurity and for keeping pace with the evolution of cybercrime.  
• Finally, NIST has addressed the needs of Boards of Directors and Audit Committees by developing a maturity scoring standard (PRISMA) that facilitates insight into an organization’s progress toward complete cybersecurity implementation.

For organizations seeking a credible, proven security framework on which to build and manage their cybersecurity programs, the NIST CSF 2.0 is an excellent choice.

“NIST CSF 2.0 institutionalizes cybersecurity,” said Sanjay Deo, Founder and President of 24By7Security, in a recent webinar on the topic. “It formalizes and elevates the role of Chief Information Security Officer (CISO) in the organization. And with clear guidance throughout, the framework is easy to understand and very achievable.”

Gist of NIST CSF 2.0: Major Advances Over CSF 1.1

Traditionally, the original five functions of the NIST CSF have been displayed as a wheel—because all functions relate to each other, rather than being structured as a hierarchy. In v2.0, a sixth function labeled “Govern” was introduced, for the first time, as an inner circle of the wheel due to its role in informing each of the other five functions.

The release of NIST CSF 1.1 in April 2018 included five functions, 23 categories, and 108 controls within those categories.

Six years later, in February 2024, NIST CSF 2.0 added a sixth function, pared categories to 22, and streamlined controls to 106. Of these 106 controls, 31 controls relate to the Govern function, enabling users to move quickly to adopt this function in their cybersecurity programs.

Advantages of NIST CSF 2.0

Broader Audience. NIST Cybersecurity Framework 2.0 is designed for all audiences, industries, and types and sizes of organizations, including small-to-medium-sized businesses (SMBs) as well as third parties and supply chains, which have been subject to increased cyberattacks in recent years. The new CSF 2.0 and its supplemental resources provide a significantly broader audience with tailored pathways into the framework, making implementation easier.

Overarching Governance Function. As noted, v2.0 adds a vital Governance function to the original five core pillars of the CSF, which include Identify, Protect, Detect, Respond, and Recover. These six functions provide an updated and comprehensive strategy for managing cybersecurity risk in all organizations.

ERM Program. The new Enterprise Risk Management (ERM) Guide describes the use of v2.0 in an enterprise-wide process for integrating cybersecurity risk management information into the ERM program, including risk considerations around mission-related, financial, reputational, and technical risks.

Expanded Resources. New resources are a significant part of the gist of NIST CSF 2.0. For example, a new CSF 2.0 Reference Tool allows users to browse, search, and export information from the framework’s core guidance in human and machine-readable formats. Users are also able to see how their current actions map to the framework. And a Cybersecurity and Privacy Reference Tool (CPRT) provides an interrelated, browsable, and downloadable set of NIST guidance documents that integrate with other popular resources.

PRISMA Scoring Enables Objective Evaluation of Cybersecurity Maturity Before Undergoing Assessment

One of the challenges facing organizations is in clearly understanding the true maturity level of their cybersecurity programs. It is human nature to peer through rose colored glasses, especially when assessing ourselves.

The NIST Program Review of Information Security Management (PRISMA) brings greater objectivity to this initial evaluation step—thereby enabling organizations to effectively plan necessary additions and enhancements to their programs.

The five levels of maturity in the PRISMA model range from the most basic level (1) to a cybersecurity program that is integrated throughout the organization (5). Following are the five maturity levels at a glance

• Policies have been documented and communicated.
• Procedures have been documented.
• Procedures have been implemented, thus putting necessary controls in place.
• Testing has been conducted in the form of a periodic review of procedure and control implementation.
• Policies, procedures, and controls have been integrated, as part of the cybersecurity program, throughout the organization.

Not every organization needs to achieve level 5 with every procedure and control at once. Achieving complete implementation takes time, effort, budget, and focus.

“Each organization must decide what level of maturity they need and can afford,” said Sanjay Deo in a recent webinar reviewing the gist of NIST CSF 2.0. “At minimum, true level 3 implementation should be your goal.”

Level 3 Achievement Required. Implementation, at level 3, is the most important level to achieve in the NIST Cybersecurity Framework. By actually implementing procedures and controls, organizations fortify their security and more effectively safeguard their networks, systems, and data. A helpful resource during implementation is the NIST Special Publication 800-53, which provides a catalog of privacy and security controls for information systems.

Because it is not uncommon for an organization to confuse documenting their procedures with implementing those procedures, applying the PRISMA scoring model helps avoid that pitfall and the complacency and stasis that can result.

Getting Started on the Path to NIST CSF 2.0

After determining where your program falls on the PRISMA maturity scale, your next move will be to validate that determination before proceeding with further program development and implementation. Necessary actions will include the following:

• Verify the scope of your cybersecurity program, whether it is the entire organization, a business unit, a subsidiary, or a department, for example.
• Identify and inventory assets within the program, which may include hardware, software, systems, endpoints, databases, and other assets.
• Identify supplier and other third party dependencies, including operational processes, technologies, overlaps, and gaps.
• Review and develop NIST CSF 2.0-based cybersecurity policies and procedures.
• Obtain an objective, independent view of your program by employing an independent assessor (internal or external) to perform a cybersecurity maturity assessment.

An experienced third-party assessor will be able to uncover and objectively interpret how your cybersecurity program is currently documented, communicated, implemented, and tested. And because, in most organizations, employees already have full-time jobs, leveraging a skilled professional with experience in NIST CSF 2.0 implementations makes a lot of sense.

Steps to NIST CSF 2.0 Implementation

Any adoption of the NIST Cybersecurity Framework calls for six specific actions within the scope of the cybersecurity program in your organization. Tap into the heart of the framework with these six vital steps:

1. Set Objectives. Determine what it is you want to achieve through adoption of the NIST Cybersecurity Framework. Common goals range from improving cybersecurity to complying with regulatory requirements to reducing risk.
2. Conduct Baseline Assessment. Evaluate your organization’s current cybersecurity practices against the CSF to identify gaps, spotlight areas needing improvement, and provide important insights for program development and management.
3. Assess Risks. Identify and prioritize risks based on their potential impact on your organization. You must be aware of all risks, as well as your organization’s risk tolerance, in order to address them appropriately. It can be helpful to identify the top ten priorities so as to develop those solutions first, then the second set of priorities, and so on.
4. Allocate Resources. Identify the specific personnel, budget, tools, and other resources required to properly implement each cybersecurity initiative.
5. Set Milestones. Establish timelines and milestones to track your progress for each initiative.
6. Monitor Program. Implement continuous monitoring aimed at detecting hacks, data exfiltration, and other cybersecurity events, as well as for purposes of assessing the ongoing effectiveness of controls in place.

Remember that cybersecurity consultants experienced in NIST CSF 2.0 implementations are available to supplement inhouse resources, provide oversight and management of program implementation (acting in the role of CISO, for example), communicate with executive management, and furnish other support for your program implementation.

The Gist of NIST CSF 2.0

Since the NIST CSF was first introduced in February 2014, the cybersecurity framework has been widely adopted throughout the U.S. Released in February 2024, NIST CSF 2.0 provides a reliable, proven measure for the annual review of your cybersecurity posture, and now incorporates a vital governance function that informs the five core cybersecurity functions (Identify, Protect, Detect, Respond, and Recover).

Importantly, the new version integrates prevailing cybersecurity regulations and is accepted by regulators. NIST CSF 2.0 not only fosters a culture of informed cybersecurity risk management and cybersecurity awareness, but also enhances operational resilience and incident response effectiveness. Expert resources are available on the NIST website as well as from the experienced cybersecurity team at 24By7Security. Contact us today for assistance.