The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.
NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards and create a new model that reflects evolving security challenges.
While the core of the CSF remains the same, there are several notable additions to the new version. Here’s what enterprises need to know about the new framework, how it impacts operations and how IT teams can effectively apply CSF version 2.0 to daily operations.
New in NIST 2.0: The Govern function
First is the introduction of the “Govern” function, which underpins all five functions of the original NIST framework: Identify, Protect, Detect, Respond and Recover. As noted by the original CSF 1.0 documentation, “these functions are not intended to form a serial path or lead to a static desired end state. Rather, the functions can be performed concurrently and continuously to form an operational culture that addresses the dynamic security risk.”
As a result, the functions are often depicted as a five-part circle that surrounds the center CST framework. Each function leads into the next, and no function is independent of another.
NIST CSF 2.0 keeps these functions but adds Govern as a complete inner ring located under the five outer functions. Govern focuses on ensuring that the other functions align with business needs, are regularly measured by operations teams and are managed by security executives.
In other words, Govern looks to bring leadership into the security conversation. While this is already happening in most businesses, CSF 2.0 makes it a priority.
Expanded best practices
The first two CSF versions prioritized critical infrastructure. While other industries and agencies adopted the framework, it was primarily designed to reduce the impact of cybersecurity incidents in the critical infrastructure sector.
However, the broad adoption of the framework made it clear that practices and processes applied to public and private organizations across all sectors and industries. As a result, NIST CSF 2.0 offers expanded best practices broadly applicable to businesses of any size and type.
For example, the new CSF recommends that all businesses create Organizational Profiles that describe current and target cybersecurity postures. This allows companies to both set goals and define the practice necessary to meet these goals. The new framework also highlights the role of Community Profiles. These profiles are created to address the shared cybersecurity interests and goals of multiple organizations that occupy the same sector or subsector, use similar technologies or experience similar threat types.
Read the Threat Intelligence Index report
Making the most of new NIST guidelines
With its focus on enhanced governance and expanded best practices, the new NIST CSF can help enterprises enhance security and reduce risk. To effectively implement this framework, organizations benefit from a four-pronged approach.
1. Use available recommendations and resources
The expanded scope and scale of CSF 2.0 can make it difficult for businesses of any size to effectively implement new recommendations. For smaller companies, limited IT support may impact the development of new practices, while larger organizations may struggle with the complexity of their IT environments.
To help streamline the process, businesses should make best use of available resources, such as:
2. Get leaders in the loop
Next on the list is getting leaders in the loop. While CSF 2.0 was designed with governance and oversight in mind, many non-technical C-suite executives may have limited knowledge of the framework and its impact. As a result, it’s a good idea for IT leaders — such as CTOs, CIOs and CISOs — and their teams to sit down with board members and discuss the impact of CSF 2.0. This is also an opportunity to ensure business goals and security strategies are aligned.
In addition, these meetings provide an opportunity to define key security metrics, determine how they will be collected and create a detailed schedule for collection, reporting and action. By making leaders part of the conversation from the beginning of CSF implementation, companies set the stage for sustained visibility.
3. Evaluate external partnerships
As part of the new Govern function, CSF 2.0 includes new subsections on vendor and supplier management. For example, GV.SC-04 focuses on knowing and prioritizing suppliers by their criticality to operations, while GV.SC-06 speaks to the planning and due diligence required before entering third-party relationships. Finally, subsection GV.SC-10 can help companies plan for the termination of a supplier or partner relationship.
Given the increasing risk and impact of third-party compromise, these evaluations are critical. If suppliers or vendors with access to critical company data are compromised due to poor cybersecurity practices, organizations are at risk, regardless of their own CSF 2.0 compliance.
4. Deploy management and monitoring tools
To support all five existing functions and provide the data needed to inform new governance efforts companies need management and monitoring tools capable of detecting potential threats, tracking indicators of compromise (IOC) and taking action to reduce total risk.
For example, threat intelligence tools can help organizations pinpoint common attack patterns and targets, in turn giving teams the data they need to create and deploy effective countermeasures. This data also helps tie security spending to measurable business outcomes.
From best practice to common practice
While CSF 2.0 is the newest version of NIST’s cybersecurity framework, it’s not the last. As noted by NIST, the framework is designed as a living document that evolves to meet emerging cybersecurity needs and help companies navigate changing threat environments.
In practice, this means making the move from best practices to common practices. For example, where versions 1.0 and 1.1 provided best practices for critical infrastructure, version 2.0 includes them as common practices for all organizations while defining a new best practice: governance. Over time, this practice will become commonplace, setting the stage for further developments that help organizations enhance threat discovery, improve incident response and reduce total risk.