The NIST Cybersecurity Framework (CSF) has just had its first major update since it was introduced in 2014. For that reason alone, the NIST Cybersecurity Framework 2.0 is a big deal.
A lot has changed in the cybersecurity and compliance space in the last decade, and you could say this update was overdue. The National Institute of Standards and Technology (NIST) spent several years in discussions and public discourse, with the goal of helping all organizations to manage and reduce risks — not just those in critical infrastructure, its original target audience.
Considering that NIST frameworks are some of the most commonly used standards in the cybersecurity industry, it’s worth asking what changes were made to NIST CSF 2.0, and what they mean for your organization. If you aren’t already compliant under the original NIST framework, should you adopt it now?
Here’s a quick overview of the major NIST 2.0 updates worth mentioning.
What’s Behind the Changes to NIST CSF 2.0?
The overall objective for the updated NIST CSF is to provide a framework that any organization can leverage in its drive to improve their cybersecurity posture. Unlike CMMC, NIST 2.0 isn’t geared only to government or DoD vendors. Instead, this framework is intended to be appropriate for any organization.
NIST CSF was originally called Framework for Improving Critical Infrastructure Cybersecurity. As the name indicates, the standard was initially directed toward critical infrastructure. But with the advent of version 2.0, the name was updated to Cybersecurity Framework — which reflects the shift to a broader usage.
To that end, NIST has generated guidance that is designed to cover organizations of all sizes, sectors, and maturity levels. They’re placing an emphasis on enabling smaller companies to effectively use NIST as a framework for their organization.
Expanded and Updated Controls
Under the previous version, the NIST framework included five Core Functions, or controls:
- Identify — Discover any elements potentially causing risk to your business (vulnerabilities and security weaknesses)
- Protect — Implement safeguards to reduce cybersecurity risks
- Detect — Discover any exploits that could potentially cause risk in the future, or are causing risk now (zero days, in-progress attacks)
- Respond — Take action against discovered areas of potential compromise
- Recover — Restore operations to a pre-incident state using a disaster recovery or business continuity plan
NIST did some restructuring of those five Core Functions and outlined some key goals for each of the functions. But the big change is the introduction of a new sixth function:
- Govern — Establish your cybersecurity policy, expectations, and strategy
The Govern function consists of several categories that were shifted from the previous five Core Functions, and NIST also expanded the Govern function to make it more robust.
The purpose of Govern is to better address cybersecurity risk management — specifically, the approach to risk management, expected outcomes, required policy statements, etc.
This new function reflects NIST’s commitment to increasing the importance of governance under the NIST 2.0 framework, aligning cybersecurity with overall enterprise risk.
Besides creating the new Govern function, NIST has outlined key goals for each function so that the framework is more coherent, providing linkages between the various Core Functions. The idea is to generate each of the Core Functions as its own independent component of the overall cybersecurity strategy.
Greater Profile Depth
NIST CSF 2.0 also features greater depth around profiles. A profile is the alignment of the Functions, Categories, and Subcategories with the business requirements, risk tolerance, and resources of the organization.
The new version recommends that organizations create Organizational Profiles describing the company’s current cybersecurity maturity, as well as their target maturity. The idea is to set a goal and define a plan to get there.
NIST 2.0 also introduces Community Profiles, which address the shared cybersecurity interests and goals of organizations in the same industry, with similar technologies, or with similar types of threats.
Version 2.0 includes in-depth examples of profiles and detailed steps for creating and using them. NIST also provides a profile template, which allows you to generate profiles to help you achieve the outcomes that are detailed in the Core Function requirements.
How Prescriptive Is NIST CSF 2.0 — And Why Does It Matter?
Highly prescriptive compliance standards are very explicit in their requirements. There’s little to no room for doing things your own way, because everything is prescribed. If you’re looking for a highly prescriptive standard that is robust and comprehensive, PCI DSS remains the gold standard.
HIPAA, on the other hand, is at the other end of the spectrum. HIPAA is a very directional framework, pointing you in the right direction to an end goal. How you get there is less important to the standard than the question of whether your system measures up to the end goal.
So where does NIST CSF 2.0 fall on the spectrum? NIST CSF isn’t as directional as HIPAA, but it is a directional standard and it will require your organization to execute a greater amount of thoughtfulness and front-end planning than something like PCI would.
On the other hand, if you’re already going up against a prescriptive standard, the lion’s share of that work will be done for you, and you’ll find it a heck of a lot easier to adopt NIST 2.0 since a prescriptive standard is much easier to map to a directional one. If your organization is subject to multiple compliance standards, I’d recommend using TCT Portal’s mapping capabilities to automatically keep multiple standards organized and aligned with each other.
Should You Use NIST CSF 2.0?
One important element to keep in mind about NIST CSF 2.0 is that it isn’t a required framework in any industry. It’s simply a standard that’s available for use by any organization. However, that broad applicability doesn’t mean it’s the best fit for every organization. The vagueness of the framework’s directional approach can make it frustrating for many companies to implement, especially if they’re new to the compliance realm.
For organizations that are already compliant with a prescriptive standard like PCI DSS, adopting NIST CSF 2.0 won’t be difficult. However, there won’t be much benefit to be gleaned that PCI isn’t already providing.
One thing to consider when implementing NIST CSF 2.0: NIST has multiple standards that tend to be tightly coupled with one another. If you’re implementing one of these NIST standards, you’ll find there are controls that reference other NIST standards. In the end, if you’re compliant with one NIST standard, you’ll be complying with requirements across several of the other NIST standards. That’s the case with NIST CSF 2.0 as well.
More often than not, the biggest reason organizations become NIST CSF compliant is because a key client or a key prospect requires it as part of their contract.
Don’t Adopt NIST CSF Without a Consultant
If your organization doesn’t already have an expert who’s gone down the path of security and compliance multiple times across multiple standards, I’d strongly recommend that you get a Consultant to help you implement NIST CSF 2.0. Otherwise, you’ll find yourself firmly lodged in the spider web of the standard, attempting to wrap your arms around it. Just trying to get a solid understanding of the framework will be a full-time job — and that’s before you start implementing it.
Instead, rely on a compliance Consultant who’s been down this path before and can take you through it reliably and straightforwardly. It will be a tremendous shortcut and it’ll help save your sanity.
Succeeding with NIST CSF 2.0
NIST CSF 2.0 comes with important updates and expansions that any company can benefit from. Not every company needs NIST CSF 2.0, but it’s a solid framework for those companies who need to fulfill contractual requirements.
Want more direction on NIST CSF? You can check out the NIST CSF 2.0 Resource Center for helpful tools and resources to get started. For all of your other compliance needs, get the unfiltered truth from TCT’s weekly podcast.