Lepide Blog: A Guide to IT Security, Compliance and IT Operations

NIST CSF 1.1 vs 2.0 and Key Elements of NIST CSF 2.0

NIST CSF 1.1 vs 2.0

On August 8th, 2023, the National Institute of Standards and Technology (NIST) released the public draft of the NIST Cybersecurity Framework (CSF) version 2.0. The framework, initially published in 2014, has been widely adopted by organizations in the United States.

Despite the ongoing effectiveness of CSF 1.1, there is a widely held consensus that an update is necessary to keep pace with the evolving cybersecurity landscape. CSF 2.0 endeavors to maintain the relevance of the original framework while upholding its fundamental principles.

NIST CSF 1.1 vs NIST CSF 2.0: The Differences

Notably, CSF 2.0 places greater emphasis on integrating cybersecurity into business strategy and fostering top-down governance. The key changes in CSF 2.0 include:

Expanded Scope and Integration

CSF 2.0 has undergone a significant expansion, reflecting its intended use by organizations worldwide. The framework’s previous focus on U.S. critical infrastructure has been broadened to encompass a global audience, recognizing the universal nature of cybersecurity threats. Additionally, references to reputable frameworks such as the NIST Privacy Framework, NICE Workforce Framework for Cybersecurity, and Secure Software Development Framework have been incorporated, enabling organizations to seamlessly integrate CSF with their existing frameworks.

Enhanced Guidance and Governance

An ‘Implementation Examples’ category has been introduced as part of the CSF 2.0 update, providing organizations with practical guidance on achieving the framework’s subcategories. This guidance bridges the gap between theory and practice, enabling organizations to implement the framework effectively. Furthermore, a new function, “GOVERN”, has been added to emphasize the importance of cybersecurity governance. This function covers organizational context, risk management strategy, supply chain risk management, and other aspects, ensuring that organizations have a comprehensive understanding of their cybersecurity posture.

Continuous Improvement and Feedback

NIST has recognized the importance of continuous improvement in cybersecurity. References to NIST SP 800-55 have been included in the updated information on cybersecurity assessments, reinforcing the need for regular evaluation and improvement. Additionally, a new ‘Improvement Category’ has been added to the IDENTIFY function, emphasizing the ongoing nature of cybersecurity efforts.

Understanding the NIST Cybersecurity Framework 2.0 Core

CSF 2.0 provides a structured approach to cybersecurity risk management. The Framework Core defines cybersecurity Functions (broad activities), Categories (desired outcomes within functions), and Subcategories (specific outcomes within categories). To support implementation, the Framework Core provides guidelines and best practices for understanding Subcategory outcomes, as well as practical steps to achieve Subcategory outcomes. The Framework Core is designed to:

  • Enable communication between different organizational teams.
  • Provide a common understanding of cybersecurity risks and mitigation strategies.
  • Guide organizations in managing and reducing cybersecurity risks through coordinated actions.

The version 2.0 features 6 functions, 22 categories, and 106 subcategories, representing an increase from the version 1.1 which had 5 functions, 23 categories, and 108 subcategories.

The 6 functions include: GOVERN (GV), IDENTIFY (ID), PROTECT (PR), DETECT (DE), RESPOND (RS) and RECOVER (RC). These functions are described in more detail below:

1. GOVERN (GV)

This function is designed to help organizations establish and oversee a comprehensive cybersecurity strategy that aligns with their broader mission and risk tolerance. It recognizes cybersecurity as an integral aspect of governance and strategic planning, ensuring that cybersecurity measures are not simply reactive but proactive and aligned with the organization’s overall objectives.

GOVERN (GV) Categories Overview
Organizational Context (GV.OC)
  • Understand stakeholder expectations and legal requirements
  • Align cybersecurity practices with organizational mission and objectives
Risk Management Strategy (GV.RM)
    • Establish and monitor cybersecurity risk management strategy
    • Ensure alignment with organizational mission
Cybersecurity Supply Chain Risk Management (GV.SC)
  • Ensure third parties maintain adequate cybersecurity standards
Roles, Responsibilities, and Authorities (GV.RR)
  • Define cybersecurity roles and responsibilities
  • Establish accountability and efficient incident response
Policies, Processes, and Procedures (GV.PO)
  • Develop and maintain clear cybersecurity policies, processes, and procedures
  • Ensure consistent and effective cybersecurity practices
Oversight (GV.OV)
  • Continuously review and update cybersecurity strategy
  • Maintain a feedback loop for refinement and correction

2. IDENTIFY (ID)

This function helps organizations identify cybersecurity risks that are specific to their situation and link these risks to the broader organizational mission and risk appetite defined under GOVERN. This will ensure that cybersecurity measures are prioritized based on their potential impact on the organization’s goals and objectives.

IDENTIFY (ID) Categories Overview
Asset Management (ID.AM)
  • Understanding and managing assets crucial to business objectives
  • Prioritizing cybersecurity measures based on asset significance and risk strategy
Risk Assessment (ID.RA)
  • Comprehensive understanding of cybersecurity risks to organization, assets, and individuals
  • Informing decision-making and prioritizing cybersecurity efforts
Improvement (ID.IM)
  • Identifying enhancements to cybersecurity risk management processes and activities
  • Ensuring continuous refinement and adaptation of cybersecurity measures

3. PROTECT (PR)

This function helps organizations implement various safeguards and controls to prevent or mitigate the impact of identified threats. This includes user awareness training, strengthening physical and virtual infrastructure resilience, and deploying appropriate cybersecurity technologies. The focus is on reducing the likelihood and severity of cybersecurity incidents by bolstering the organization’s defenses.

PROTECT (PR) Categories Overview
Identity Management, Authentication, and Access Control (PR.AA)
  • Limiting access based on authorization and risk assessment
  • Safeguarding against unauthorized access
  • Ensuring data integrity and confidentiality
Awareness and Training (PR.AT)
  • Providing cybersecurity awareness and training
  • Equipping staff with knowledge and skills for effective cybersecurity tasks
Data Security (PR.DS)
  • Managing data in alignment with risk strategy
  • Protecting confidentiality, integrity, and availability of information
Platform Security (PR.PS)
  • Managing hardware, software, and services
  • Ensuring security of platforms and safeguarding against vulnerabilities
Technology Infrastructure Resilience (PR.IR)
  • Managing security architectures for asset protection and organizational resilience
  • Ensuring continuous availability and integrity of assets in adverse situations

4. DETECT (DE)

To minimize the damage caused by cybersecurity threats, the DETECT function focuses on identifying and responding to threats as quickly as possible. This requires robust detection mechanisms that can differentiate between minor incidents and major breaches. By detecting threats early, organizations can prevent them from escalating and causing significant harm.

DETECT (DE) Categories Overview
Continuous Monitoring (DE.CM)
  • Monitoring assets to detect potential cybersecurity threats
  • Timely identification and mitigation of threats
  • Reduced potential damage
Adverse Event Analysis (DE.AE)
  • Analysis of anomalies and potential threats
  • Detection of cybersecurity incidents
  • Insights into nature and severity of threats
  • Guidance for response measures

5. RESPOND (RS)

When cybersecurity incidents do occur, the RESPOND function can be used to facilitate quick and effective response. This involves containing the damage, preserving stakeholder trust, and protecting the organization’s reputation. Effective incident response requires well-defined procedures, clear communication, and swift action to minimize losses and restore normal operations.

RESPOND (RS) Categories Overview
Incident Management (RS.MA)
  • Ensuring a coordinated and effective response to threats
  • Minimizing potential damage
Incident Analysis (RS.AN)
  • Investigating incidents to guide response and recovery efforts
  • Providing insights into cause and impact of incidents
  • Informing mitigation strategies
Incident Response Reporting and Communication (RS.CO)
  • Coordinating response activities with stakeholders
  • Ensuring a unified response
  • Maintaining compliance with legal and regulatory requirements
Incident Mitigation (RS.MI)
  • Preventing escalation of incidents
  • Mitigating effects of incidents
  • Safeguarding assets and operations

6. RECOVER (RC)

The RECOVER function focuses on restoring impacted assets and operations as quickly and efficiently as possible following a cybersecurity incident. This includes restoring compromised systems, recovering lost data, and implementing measures to prevent similar incidents from occurring in the future. The goal is to ensure business continuity and minimize the long-term impact of cybersecurity breaches.

RECOVER (RC) Categories Overview
Incident Recovery Plan Execution (RC.RP)
  • Restoration activities after cybersecurity incidents
  • Timely recovery of operations
  • Minimizing downtime and costs
Incident Recovery Communication (RC.CO)
  • Coordination of recovery activities
  • Communication with internal and external parties
  • Unified recovery process
  • Stakeholder information

NIST CSF 2.0 Reference Tool

NIST provides an online NIST CSF 2.0 Reference Tool. This tool enables users to delve into the Draft CSF 2.0 Core, which encompasses functions, categories, subcategories, and implementation examples. The reference tool offers both human and machine-readable versions of the draft Core in JSON and Excel formats. Additionally, Informative References are scheduled to be incorporated in early 2024, highlighting connections to other frameworks. Notably, implementation examples and informative references will be regularly updated and maintained exclusively online.

How Lepide Helps

Lepide Data Security Platform can assist companies in aligning with NIST CSF 2.0 in several ways:

  • Identify: Lepide Data Security Platform can help organizations identify their assets, systems, and data through data discovery and classification functionalities. This includes locating sensitive data across various locations, such as file servers and Microsoft 365. By understanding what data they have and where it resides, companies can prioritize their security efforts.
  • Protect: Lepide offers features that can help safeguard identified assets by identifying risk, implementing appropriate access controls, and monitoring user activity. Access controls dictate who can access specific data and what they can do with it. Activity monitoring keeps track of user behavior and can help identify suspicious activity.
  • Detect: Lepide Data Security Platform can aid in threat detection through data loss prevention (DLP) and user behavior analytics. DLP helps prevent sensitive data from being accidentally or intentionally leaked or exfiltrated. User behavior analytics monitors user activity and identifies anomalies that could indicate a security breach.
  • Respond: In the event of a security incident, Lepide Data Security Platform can aid in the response by isolating compromised systems. This helps contain the attack and prevents it from spreading to other parts of the network. The platform can also facilitate forensic investigations by providing logs and data that can be used to determine the root cause of the incident.
  • Recover: The platform can also assist with recovery by providing backups and disaster recovery capabilities. Backups create copies of data that can be restored in case of a cyberattack or other incident. Disaster recovery plans outline the steps that need to be taken to resume operations after a major disruption.
  • Govern: Lepide Data Security Platform can support the Govern function of NIST CSF through generating reports that provide visibility into user activity and system events. This data can be used by governance teams to monitor compliance with policies and identify areas for improvement. It can also help simplify user provisioning and access management, ensuring that users only have access to the data and systems they need for their jobs. This reduces the risk of unauthorized access and strengthens overall data security.