A recent 24By7Security survey, conducted during the Gist of NIST CSF 2.0 webinar on June 27, 2024, revealed that 25% of IT and cybersecurity professionals were not aware of the new NIST CSF 2.0 requirements, with another 15% not sure. The good news is that 60% of respondents admit having at least a working familiarity with the new Cybersecurity Framework which was released by the National Institute of Standards and Technology (NIST) on February 26, 2024.
V2.0 is the first significant update since the NIST Cybersecurity Framework was introduced a decade ago, in 2014.
In the cybersecurity and information technology environment, the NIST CSF is highly respected as one of the leading cybersecurity and risk management frameworks for all types of organizations. For ten years, the NIST Cybersecurity Framework has guided information security and technology professionals in developing their organizations’ cybersecurity and risk management programs.
Implementing the NIST CSF is accepted as a reliable and effective way to either launch a new information security program or to update and upgrade an established program. There are actually several reasons why an organization needs this type of cybersecurity framework.
There are many advantages to adopting a proven cybersecurity framework within your organization—in addition to avoiding a reinvention of the miracle of the wheel.
For organizations seeking a credible, proven security framework on which to build and manage their cybersecurity programs, the NIST CSF 2.0 is an excellent choice.
“NIST CSF 2.0 institutionalizes cybersecurity,” said Sanjay Deo, Founder and President of 24By7Security, in a recent webinar on the topic. “It formalizes and elevates the role of Chief Information Security Officer (CISO) in the organization. And with clear guidance throughout, the framework is easy to understand and very achievable.”
Traditionally, the original five functions of the NIST CSF have been displayed as a wheel—because all functions relate to each other, rather than being structured as a hierarchy. In v2.0, a sixth function labeled “Govern” was introduced, for the first time, as an inner circle of the wheel due to its role in informing each of the other five functions.
Six years later, in February 2024, NIST CSF 2.0 added a sixth function, pared categories to 22, and streamlined controls to 106. Of these 106 controls, 31 controls relate to the Govern function, enabling users to move quickly to adopt this function in their cybersecurity programs.
Broader Audience. NIST Cybersecurity Framework 2.0 is designed for all audiences, industries, and types and sizes of organizations, including small-to-medium-sized businesses (SMBs) as well as third parties and supply chains, which have been subject to increased cyberattacks in recent years. The new CSF 2.0 and its supplemental resources provide a significantly broader audience with tailored pathways into the framework, making implementation easier.
Overarching Governance Function. As noted, v2.0 adds a vital Governance function to the original five core pillars of the CSF, which include Identify, Protect, Detect, Respond, and Recover. These six functions provide an updated and comprehensive strategy for managing cybersecurity risk in all organizations.
ERM Program. The new Enterprise Risk Management (ERM) Guide describes the use of v2.0 in an enterprise-wide process for integrating cybersecurity risk management information into the ERM program, including risk considerations around mission-related, financial, reputational, and technical risks.
Expanded Resources. New resources are a significant part of the gist of NIST CSF 2.0. For example, a new CSF 2.0 Reference Tool allows users to browse, search, and export information from the framework’s core guidance in human and machine-readable formats. Users are also able to see how their current actions map to the framework. And a Cybersecurity and Privacy Reference Tool (CPRT) provides an interrelated, browsable, and downloadable set of NIST guidance documents that integrate with other popular resources.
One of the challenges facing organizations is in clearly understanding the true maturity level of their cybersecurity programs. It is human nature to peer through rose colored glasses, especially when assessing ourselves.
The NIST Program Review of Information Security Management (PRISMA) brings greater objectivity to this initial evaluation step—thereby enabling organizations to effectively plan necessary additions and enhancements to their programs.
The five levels of maturity in the PRISMA model range from the most basic level (1) to a cybersecurity program that is integrated throughout the organization (5). Following are the five maturity levels at a glance
Not every organization needs to achieve level 5 with every procedure and control at once. Achieving complete implementation takes time, effort, budget, and focus.
“Each organization must decide what level of maturity they need and can afford,” said Sanjay Deo in a recent webinar reviewing the gist of NIST CSF 2.0. “At minimum, true level 3 implementation should be your goal.”
Level 3 Achievement Required. Implementation, at level 3, is the most important level to achieve in the NIST Cybersecurity Framework. By actually implementing procedures and controls, organizations fortify their security and more effectively safeguard their networks, systems, and data. A helpful resource during implementation is the NIST Special Publication 800-53, which provides a catalog of privacy and security controls for information systems.
Because it is not uncommon for an organization to confuse documenting their procedures with implementing those procedures, applying the PRISMA scoring model helps avoid that pitfall and the complacency and stasis that can result.
After determining where your program falls on the PRISMA maturity scale, your next move will be to validate that determination before proceeding with further program development and implementation. Necessary actions will include the following:
An experienced third-party assessor will be able to uncover and objectively interpret how your cybersecurity program is currently documented, communicated, implemented, and tested. And because, in most organizations, employees already have full-time jobs, leveraging a skilled professional with experience in NIST CSF 2.0 implementations makes a lot of sense.
Any adoption of the NIST Cybersecurity Framework calls for six specific actions within the scope of the cybersecurity program in your organization. Tap into the heart of the framework with these six vital steps:
Remember that cybersecurity consultants experienced in NIST CSF 2.0 implementations are available to supplement inhouse resources, provide oversight and management of program implementation (acting in the role of CISO, for example), communicate with executive management, and furnish other support for your program implementation.
Since the NIST CSF was first introduced in February 2014, the cybersecurity framework has been widely adopted throughout the U.S. Released in February 2024, NIST CSF 2.0 provides a reliable, proven measure for the annual review of your cybersecurity posture, and now incorporates a vital governance function that informs the five core cybersecurity functions (Identify, Protect, Detect, Respond, and Recover).
Importantly, the new version integrates prevailing cybersecurity regulations and is accepted by regulators. NIST CSF 2.0 not only fosters a culture of informed cybersecurity risk management and cybersecurity awareness, but also enhances operational resilience and incident response effectiveness. Expert resources are available on the NIST website as well as from the experienced cybersecurity team at 24By7Security. Contact us today for assistance.