The National Institute of Standards and Technology (NIST) has released version 2.0 of its Cybersecurity Framework (CSF), updating it for the first time since 2014. The new version broadens its scope to help all organizations, not just critical infrastructure, manage cybersecurity risks.

The aim of the Framework is to Understand, Assess, Prioritize and Communicate cybersecurity risks.

The NIST Cybersecurity Framework Version 2.0 brings some important changes for security managers. The new "Govern" feature emphasizes the importance of cybersecurity in governance and risk management. This is also a topic that is becoming more relevant with the NIS2 implementation. Expanded guidelines and specific implementation examples make it easier for practitioners to apply in the OT sector. Additional resources support supply chain security and global applicability ensures that international standards are considered. These updates significantly improve the protection and management of OT infrastructures.

The detection function has been restructured and expanded. The requirements have now become much more comprehensive. This underlines the increasing importance of anomaly detection for the security of companies.

The New Features at a Glance

Extended Scope

Applicable to all organizations, not just critical infrastructure.

New “Govern” Function

Adds governance as the sixth function alongside Identify, Protect, Detect, Respond, and Recover.

Expanded Core Guidance

Provides more comprehensive implementation guidelines.

New Resources

Includes quick-start guides and implementation examples tailored for different audiences.

Global Applicability

Adjustments made for international use, aligning with global cybersecurity needs.

CSF 2.0 Reference Tool

Simplifies implementation with a searchable and exportable catalog of core guidance in human-consumable and machine-readable formats.

Informative References

Offers a searchable catalog showing how actions map onto the CSF, cross-referencing with over 50 other cybersecurity documents, including NIST's own resources.

Focus on Governance

Emphasizes cybersecurity as a major enterprise risk, integrating it into senior leadership considerations alongside finance and reputation.

Support for Supply Chains

Additional resources and guidance to help secure supply chains.

Tailored Pathways

Provides specific pathways and resources for various types of organizations, including small businesses, enterprise risk managers, and those focusing on supply chain security.

How Is the NIST Cybersecurity Framework (CSF) 2.0 Structured?

The framework is split into three sectors: The CSF Core, the CSF Organizational Profiles and the CSF Tiers. The aim of this framework is to understand, assess, prioritize and communicate cybersecurity risks in a controlled and standardized way.

What Is the CSF Core?

The CSF Core is separated into different functions, which outcomes are then grouped into categories and subcategories.The Core consists of the following functions, which are aimed to support the minimization of cybersecurity risks - GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER:

GOVERN

This function manages cybersecurity strategy, policy, and risk for the organization, aligning with its mission. It integrates cybersecurity into overall risk management, handling roles, responsibilities, and policy oversight.

IDENTIFY

The organization understands its cybersecurity risks by knowing its assets and suppliers. This helps prioritize efforts and find ways to improve policies and practices.

PROTECT

This function uses safeguards to secure the organization's assets and reduce the risk of cybersecurity events. It includes identity management, training, data security, platform security, and technology resilience.

DETECT

This identifies and analyses potential cybersecurity attacks and compromises by promptly discovering anomalies and indicators of compromise. It supports effective incident response and recovery activities.

RESPOND

This solution takes action upon detecting a cybersecurity incident, focusing on containing its effects. This function includes incident management, analysis, mitigation, reporting, and communication.

RECOVER

facilitates the timely restoration of affected assets and operations after a cybersecurity incident, minimizing its impact and supporting effective communication during recovery.

According to the framework, all actions that support functions GOVERN, IDENTIFY, PROTECT and DETECT should all happen continuously.

However, actions that support RESPOND and RECOVER should be ready at all times and we operational when cybersecurity incidents occur.

What Are the CSF Profiles?

The CSF Organizational Profile defines an organization's current or desired cybersecurity status based on the Core's outcome. It guides actions by considering the organization's mission, stakeholder expectations, threats, and requirements. Every Organizational Profile includes one or both of the following:

What Are the CSF Tiers?

The CSF Tiers provide a guidance for organizations to enhance cybersecurity risk management. Think of it as a scale from basic to advanced practices, guiding how organizations handle risks and complement existing methods. Moving to higher Tiers is recommended for more significant risks or requirements, considering cost-effectiveness. The CSF Tiers are categorized as:

Tier 1 | Partial

At the lowest level, organizations address information security reactively with minimal defenses and lack proactive risk mitigation strategies. They often overlook risks to supply chains and external stakeholders.

Tier 2 | Risk 
Informed

Tier-two organizations are aware of major risks like malware and state-sponsored attacks and have some protection measures in place. However, they lack a unified strategy with consistent policies across departments and struggle to address risks in their supply chains effectively.

Tier 3 | Repeatable

Tier-three organizations maintain robust, repeatable information security practices with consistent policies and full visibility into their data environment. They continuously update practices to counter new risks, respond quickly to incidents, and effectively manage risk across supply chains. According to NIST, organizations shouldn't be lower than this tier.

Tier 4 | Adaptive

The highest tier of information security maturity involves adaptive strategies, utilizing advanced technologies like machine learning for detection and response, SIEM systems, and adaptive policies. This level of security readiness is crucial in highly regulated sectors such as finance, healthcare, and critical infrastructure to counter sophisticated threats effectively

Contact Us!

We’re looking forward to helping you.

  • Have a question?
  • Need more information?
  • Would you like to request a demo?
Send us a message

Sources

1. National Institute of Standards and Technology (2024) The NIST Cybersecurity Framework (CSF) 2.0. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Cybersecurity White Paper (CSWP) NIST CSWP 29, 3ff: https://doi.org/10.6028/NIST.CSWP.29, accessed on April 26, 2024.

Resources

Eric Heindl

Cybersecurity Analyst, OMICRON

Eric Heindl describes himself as an IT guy with a heart for OT cybersecurity. In his role as Cybersecurity Analyst, he analyzes vulnerabilities in OT/IT networks, gives trainings on cybersecurity aspects of web applications and websites, and demonstrates cyber attacks on substations and energy operators.