Updates to NIST CSF 2.0 Finalized
The US National Institute of Standards and Technology (NIST) has successfully finalized the framework’s first major update since its creation in 2014. The agency’s framework has been a landmark set of guidelines and best practices used by organizations and government agencies worldwide to manage cybersecurity risks.
Now, after more than two years of discussions and public comments designed to make the framework more effective for an evolving landscape— NIST has released the new 2.0 edition of their cybersecurity framework.
With new cyber threats emerging every day, NIST CSF 2.0 is a critical resource for all industry sectors like small schools, nonprofits, or large agencies and corporations— no matter what level of cybersecurity expertise.
What’s Changed?
In response to the extensive feedback received during the proposed concept, NIST has made several key changes to enhance user experience with the framework.
The CSF has been a vital tool for many organizations, helping them anticipate and deal with cybersecurity threats, CSF 2.0, which builds on previous versions, is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve.
— Laurie E. Locascio, Secretary of Commerce for Standards and Technology and NIST Director
Some of the most notable changes include:
- New Scope: The latest version of NIST Cybersecurity Framework 2.0 (CSF) has been revised to expand the target audience. Previously, the framework was aimed mainly at critical national infrastructure organizations, such as those in the utilities, telecoms, transport, and banking sectors. Now, the CSF aims to aid all organizations in mitigating and minimizing risks effectively. NIST has enhanced the CSF’s primary guidance and introduced a range of tools to support organizations of all types in reaching their cybersecurity objectives, with a heightened focus on governance and supply chain management.
- One Additional Core Function: The framework’s previous core was organized around five key functions: Identify, Protect, Detect, Respond and Recover. CSF 2.0 now includes the Govern function which establishes and communicates the organization’s cybersecurity risk management strategy and policy. It also monitors and prioritizes outcomes in alignment with the organization’s mission and stakeholder expectations.
- Quick Start Guides: The revised framework acknowledges that organizations will approach the CSF with different requirements and levels of experience in cybersecurity implementation. Introductory users can draw insights from the accomplishments of others and choose their area of focus from a fresh compilation of case studies and user-friendly guides tailored for specific user categories— including small enterprises, corporate risk managers, and entities aiming to fortify their supply chains.
- Expanded Resources and Toolkit: The new CSF 2.0 Reference Tool takes the guesswork out of the implementation process for organizations by providing a user-friendly interface for browsing, searching, and exporting data and details from the CSF’s core guidance. This tool presents information in formats that are easily understandable by both humans and machines. Additionally, CSF 2.0 includes a searchable catalog of informative references, enabling organizations to see how their current actions align with the CSF. This catalog allows for cross-referencing of the CSF’s guidance with over 50 other cybersecurity documents, including those from NIST such as SP 800-53 Rev. 5, which offers a range of tools (referred to as controls) for achieving specific cybersecurity objectives.
The 6 Components of the Framework Core
The framework’s core is now organized around six key functions: Identify, Protect, Detect, Respond, and Recover— and the CSF 2.0’s newly added Govern function. Together, these functions provide a holistic view of the cybersecurity risk management lifecycle.
- Govern: Establishes and communicates the organization’s cybersecurity risk management strategy and policy. Monitors and prioritizes outcomes in alignment with the organization’s mission and stakeholder expectations. Critical for integrating cybersecurity into the broader enterprise risk management (ERM) strategy. Addresses understanding organizational context, cybersecurity strategy establishment, supply chain risk management, roles, responsibilities, authorities, policy, and oversight.
- Identify: Focuses on understanding current cybersecurity risks within the organization. Identifies assets, suppliers, and related cybersecurity risks to prioritize efforts. Includes identifying improvement opportunities for policies, plans, processes, procedures, and practices supporting cybersecurity risk management.
- Protect: Utilizes safeguards to manage cybersecurity risks effectively. Secures assets to prevent or mitigate adverse cybersecurity events. Covers identity management, access control, awareness training, data security, and platform security.
- Detect: Aims to find and analyze potential cybersecurity attacks and compromises promptly. Supports timely discovery and analysis of anomalies and indicators of compromise. Enables successful incident response and recovery activities.
- Respond: Involves taking actions in response to detected cybersecurity incidents. Includes incident management, analysis, mitigation, reporting, and communication.
- Recover: Focuses on restoring assets and operations affected by cybersecurity incidents. Aids in the timely restoration of normal operations to minimize the impact of incidents. Facilitates appropriate communication during recovery efforts.
Why NIST Matters
NIST, the National Institute of Standards and Technology, holds a pivotal role in shaping technology and cybersecurity protocols across diverse sectors. Through its cybersecurity framework (CSF), NIST furnishes a comprehensive set of guidelines for organizations to protect themselves from cyber threats. Widely acknowledged and continually updated, NIST’s standards and guidelines adapt to emerging risks and technological advancements.
Compliance with NIST protocols is often obligatory for entities in regulated fields like finance and healthcare. Organizations can bolster their defense against cyber threats, diminish the likelihood of data breaches, and ensure compliance with relevant regulations— all by adhering to NIST’s recommendations. NIST’s influence on the technology and cybersecurity industry is undeniable, and its consistent efforts to champion security and innovation are imperative for protecting both enterprises and their consumers.
Achieve NIST Compliance with BigID
For organizations looking to stay up to date with NIST CSF 2.0— BigID has you covered. Our data-centric approach to security combines deep data discovery, next-gen data classification, and risk management. Know where your data is located, how sensitive it is, and who’s accessing it to meet the guidelines of NIST cybersecurity framework.
With BigID you can:
- Map to NIST: Learn how to align with the NIST frameworks for cybersecurity (CSF) – and how to improve your data risk management, privacy posture, and security program in a single unified framework.
- Know Your Data: The ability to identify your data is the first critical step in both the NIST Cybersecurity Framework and the NIST Privacy Framework. In order to reduce risk, organizations need to identify all their data, everywhere. BigID’s data discovery and classification helps organizations automatically identify their sensitive, personal, and regulated data across the entire data landscape.
- Data Classification: NIST recommends using three categories — low impact, moderate impact and high impact— to classify all data, everywhere in order to meet compliance for data privacy and data protection. Classify by category, type, sensitivity, policy, and more with BigID’s advanced data classification capabilities.
- Reduce Risk: Manage access to sensitive and critical business data – organizations need to incorporate access control to identify who has (and who should have) access to sensitive data. BigID’s Access Intelligence App helps organizations identify and remediate high-risk data access issues with ML-based insight to identify and prioritize file access risk.
- Incident Response: When incidents happen, every second counts. BigID’s identity- aware breach analysis effectively assesses the scope and magnitude of a data breach. Quickly determine which users and personal data have been compromised and respond in accordance to NIST.
Bring your security programs up to speed and achieve compliance for NIST CSF 2.0 — schedule a 1:1 demo with our experts today.