NIST CSF 2.0: Changes and Implications

In August 2023, the National Institute of Standards and Technology (NIST) released a draft version of NIST Cybersecurity Framework (CSF) 2.0. This impending update to the popular cybersecurity guidance brings some significant changes. The document closed for public comment on Nov. 6, 2023, and the final publication is coming in early 2024.  

The need for NIST CSF 2.0 reflects broader changes in the cybersecurity landscape in recent years, making it easier for any type of organization to put the guidance into practice. Here’s a run-through of what’s new in NIST CSF 2.0. 

A New Govern Function  

Anyone who has a passing familiarity with NIST CSF probably knows about the five functions at the core of the framework: Identify, Protect, Detect, Respond and Recover. However, the revamp to CSF proposes that an extra Govern function becomes the sixth element in this framework core.  

These functions aim to provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. The six core functions are essentially broad cybersecurity outcomes that organizations should aim to achieve. The framework clarifies that the actions needed to achieve core outcomes vary by organization and use case, so it’s not intended to be prescriptive. Instead, examples and references to other resources give organizations an idea of how they might achieve high-level cybersecurity outcomes.  

The new Govern function is an interesting addition that highlights the need to acknowledge cybersecurity risk as a major source of wider organizational risk. An effective Govern function sets the tone for incorporating and achieving each of the other five core cybersecurity function outcomes as part of the organization’s wider mission.  

It might seem intuitive that key stakeholders would recognize cyber risk alongside legal or other risks, but this still doesn’t seem to be the case. Reasons for this disconnect in perception versus reality vary from cybersecurity being seen as too technical to discuss to IT leaders downplaying cyber risks. Research from 2022 found that more than 80% of IT managers surveyed felt pressured to downplay the severity of cyber risks. 

Governance activities help to establish and oversee effective cybersecurity strategies, designate roles and responsibilities, and implement policies, processes and procedures. Most importantly, though, strong governance elevates cybersecurity from a technical issue to a board-level priority.  

Expanded Scope 

Another interesting tweak is that CSF 2.0 expands its scope to a much wider variety of organizations. Now, the framework goes beyond just critical infrastructure organizations like hospitals or power plants to reflect use by all organizations. And, in a further change, the geographical focus now extends worldwide rather than just focused on securing U.S. organizations.  

Reflecting this expanded scope, the document’s official title is now in line with its commonly used name: Cybersecurity Framework. The previous, rather less concise title of “Framework for Improving Critical Infrastructure Cybersecurity” has been abandoned.  

Organizations of all sizes and in all sectors can benefit from having the solid structure of a framework to use for better managing cyber risks (43% of cyberattacks target SMBs). This change also reflects how the CSF has been widely adopted as a framework by not just critical infrastructure organizations, but also companies seeking guidance and structure for dealing with the onslaught of attacks and risks in the current cybersecurity landscape.  

Emphasizing Supply Chain Risk Management 

A long-standing criticism of previous versions of CSF highlighted the framework’s lack of attention to supply chain risk management. With companies more reliant upon and intertwined with a complex ecosystem of third parties that often have access to their data or systems, supply chain risks are not going anywhere soon.   

In 2023 alone, before the draft publication of NIST 2.0, high-profile supply chain attacks like MOVEit and 3CX wreaked havoc on companies worldwide. These attacks had a cascading impact on many large organizations. While a slight update back in 2018 to CSF did address supply chain risk, many cybersecurity professionals felt the guidance didn’t go deep enough.   

The main changes in CSF 2.0 that address supply chain risk management more thoroughly are: 

1. The new Govern function specifically includes important outcomes in developing an effective program and designating roles and responsibilities for managing supply chain risks. 
2. Guidance on taking supply chain risks into account as a part of all core framework functions. This means doing things like identifying vulnerabilities in a supplier’s product or service, applying secure configuration management when giving suppliers access to IT resources, and tweaking incident response plans to ensure proper action after the compromise of any third-party products or services. 

It’s hoped these more granular guidelines will help companies of any size get more transparency into their supply chains and the often hidden risks they pose to information security. 

Get Further Guidance with Nuspire 

While NIST CSF 2.0 is clearly a much-welcomed update, it still leaves much ambiguity regarding how to implement the guidance. There are a lot of external references in the document and an alphabet soup of acronyms that can be tough to navigate. Companies arguably need more specific and practical guidance related to their industry and threat landscape.

Nuspire’s cybersecurity consulting services can help with a virtual CISO and executive cyber advice that meets you where you are in your security journey and helps expand your capabilities.  

Learn more here.