Last Updated on April 3, 2024 by Satyendra
On August 8th, 2023, the National Institute of Standards and Technology (NIST) released the public draft of the NIST Cybersecurity Framework (CSF) version 2.0. The framework, initially published in 2014, has been widely adopted by organizations in the United States.
Despite the ongoing effectiveness of CSF 1.1, there is a widely held consensus that an update is necessary to keep pace with the evolving cybersecurity landscape. CSF 2.0 endeavors to maintain the relevance of the original framework while upholding its fundamental principles.
NIST CSF 1.1 vs NIST CSF 2.0: The Differences
Notably, CSF 2.0 places greater emphasis on integrating cybersecurity into business strategy and fostering top-down governance. The key changes in CSF 2.0 include:
Expanded Scope and Integration
CSF 2.0 has undergone a significant expansion, reflecting its intended use by organizations worldwide. The framework’s previous focus on U.S. critical infrastructure has been broadened to encompass a global audience, recognizing the universal nature of cybersecurity threats. Additionally, references to reputable frameworks such as the NIST Privacy Framework, NICE Workforce Framework for Cybersecurity, and Secure Software Development Framework have been incorporated, enabling organizations to seamlessly integrate CSF with their existing frameworks.
Enhanced Guidance and Governance
An ‘Implementation Examples’ category has been introduced as part of the CSF 2.0 update, providing organizations with practical guidance on achieving the framework’s subcategories. This guidance bridges the gap between theory and practice, enabling organizations to implement the framework effectively. Furthermore, a new function, “GOVERN”, has been added to emphasize the importance of cybersecurity governance. This function covers organizational context, risk management strategy, supply chain risk management, and other aspects, ensuring that organizations have a comprehensive understanding of their cybersecurity posture.
Continuous Improvement and Feedback
NIST has recognized the importance of continuous improvement in cybersecurity. References to NIST SP 800-55 have been included in the updated information on cybersecurity assessments, reinforcing the need for regular evaluation and improvement. Additionally, a new ‘Improvement Category’ has been added to the IDENTIFY function, emphasizing the ongoing nature of cybersecurity efforts.
Understanding the NIST Cybersecurity Framework 2.0 Core
CSF 2.0 provides a structured approach to cybersecurity risk management. The Framework Core defines cybersecurity Functions (broad activities), Categories (desired outcomes within functions), and Subcategories (specific outcomes within categories). To support implementation, the Framework Core provides guidelines and best practices for understanding Subcategory outcomes, as well as practical steps to achieve Subcategory outcomes. The Framework Core is designed to:
- Enable communication between different organizational teams.
- Provide a common understanding of cybersecurity risks and mitigation strategies.
- Guide organizations in managing and reducing cybersecurity risks through coordinated actions.
The version 2.0 features 6 functions, 22 categories, and 106 subcategories, representing an increase from the version 1.1 which had 5 functions, 23 categories, and 108 subcategories.
The 6 functions include: GOVERN (GV), IDENTIFY (ID), PROTECT (PR), DETECT (DE), RESPOND (RS) and RECOVER (RC). These functions are described in more detail below:
1. GOVERN (GV)
This function is designed to help organizations establish and oversee a comprehensive cybersecurity strategy that aligns with their broader mission and risk tolerance. It recognizes cybersecurity as an integral aspect of governance and strategic planning, ensuring that cybersecurity measures are not simply reactive but proactive and aligned with the organization’s overall objectives.
GOVERN (GV) Categories Overview | |
---|---|
Organizational Context (GV.OC) |
|
Risk Management Strategy (GV.RM) |
|
Cybersecurity Supply Chain Risk Management (GV.SC) |
|
Roles, Responsibilities, and Authorities (GV.RR) |
|
Policies, Processes, and Procedures (GV.PO) |
|
Oversight (GV.OV) |
|
2. IDENTIFY (ID)
This function helps organizations identify cybersecurity risks that are specific to their situation and link these risks to the broader organizational mission and risk appetite defined under GOVERN. This will ensure that cybersecurity measures are prioritized based on their potential impact on the organization’s goals and objectives.
IDENTIFY (ID) Categories Overview | |
---|---|
Asset Management (ID.AM) |
|
Risk Assessment (ID.RA) |
|
Improvement (ID.IM) |
|
3. PROTECT (PR)
This function helps organizations implement various safeguards and controls to prevent or mitigate the impact of identified threats. This includes user awareness training, strengthening physical and virtual infrastructure resilience, and deploying appropriate cybersecurity technologies. The focus is on reducing the likelihood and severity of cybersecurity incidents by bolstering the organization’s defenses.
PROTECT (PR) Categories Overview | |
---|---|
Identity Management, Authentication, and Access Control (PR.AA) |
|
Awareness and Training (PR.AT) |
|
Data Security (PR.DS) |
|
Platform Security (PR.PS) |
|
Technology Infrastructure Resilience (PR.IR) |
|
4. DETECT (DE)
To minimize the damage caused by cybersecurity threats, the DETECT function focuses on identifying and responding to threats as quickly as possible. This requires robust detection mechanisms that can differentiate between minor incidents and major breaches. By detecting threats early, organizations can prevent them from escalating and causing significant harm.
DETECT (DE) Categories Overview | |
---|---|
Continuous Monitoring (DE.CM) |
|
Adverse Event Analysis (DE.AE) |
|
5. RESPOND (RS)
When cybersecurity incidents do occur, the RESPOND function can be used to facilitate quick and effective response. This involves containing the damage, preserving stakeholder trust, and protecting the organization’s reputation. Effective incident response requires well-defined procedures, clear communication, and swift action to minimize losses and restore normal operations.
RESPOND (RS) Categories Overview | |
---|---|
Incident Management (RS.MA) |
|
Incident Analysis (RS.AN) |
|
Incident Response Reporting and Communication (RS.CO) |
|
Incident Mitigation (RS.MI) |
|
6. RECOVER (RC)
The RECOVER function focuses on restoring impacted assets and operations as quickly and efficiently as possible following a cybersecurity incident. This includes restoring compromised systems, recovering lost data, and implementing measures to prevent similar incidents from occurring in the future. The goal is to ensure business continuity and minimize the long-term impact of cybersecurity breaches.
RECOVER (RC) Categories Overview | |
---|---|
Incident Recovery Plan Execution (RC.RP) |
|
Incident Recovery Communication (RC.CO) |
|
NIST CSF 2.0 Reference Tool
NIST provides an online NIST CSF 2.0 Reference Tool. This tool enables users to delve into the Draft CSF 2.0 Core, which encompasses functions, categories, subcategories, and implementation examples. The reference tool offers both human and machine-readable versions of the draft Core in JSON and Excel formats. Additionally, Informative References are scheduled to be incorporated in early 2024, highlighting connections to other frameworks. Notably, implementation examples and informative references will be regularly updated and maintained exclusively online.
How Lepide Helps
Lepide Data Security Platform can assist companies in aligning with NIST CSF 2.0 in several ways:
- Identify: Lepide Data Security Platform can help organizations identify their assets, systems, and data through data discovery and classification functionalities. This includes locating sensitive data across various locations, such as file servers and Microsoft 365. By understanding what data they have and where it resides, companies can prioritize their security efforts.
- Protect: Lepide offers features that can help safeguard identified assets by identifying risk, implementing appropriate access controls, and monitoring user activity. Access controls dictate who can access specific data and what they can do with it. Activity monitoring keeps track of user behavior and can help identify suspicious activity.
- Detect: Lepide Data Security Platform can aid in threat detection through data loss prevention (DLP) and user behavior analytics. DLP helps prevent sensitive data from being accidentally or intentionally leaked or exfiltrated. User behavior analytics monitors user activity and identifies anomalies that could indicate a security breach.
- Respond: In the event of a security incident, Lepide Data Security Platform can aid in the response by isolating compromised systems. This helps contain the attack and prevents it from spreading to other parts of the network. The platform can also facilitate forensic investigations by providing logs and data that can be used to determine the root cause of the incident.
- Recover: The platform can also assist with recovery by providing backups and disaster recovery capabilities. Backups create copies of data that can be restored in case of a cyberattack or other incident. Disaster recovery plans outline the steps that need to be taken to resume operations after a major disruption.
- Govern: Lepide Data Security Platform can support the Govern function of NIST CSF through generating reports that provide visibility into user activity and system events. This data can be used by governance teams to monitor compliance with policies and identify areas for improvement. It can also help simplify user provisioning and access management, ensuring that users only have access to the data and systems they need for their jobs. This reduces the risk of unauthorized access and strengthens overall data security.