Get Ready for NIST CSF 2.0: Steps to Prepare

What is NIST CSF?

NIST Cybersecurity Framework (CSF) is a framework published by the National Institute of Standards and Technology (NIST) that aims to guide cybersecurity initiatives and risk management processes for critical infrastructure providers. Since its development in 2014, NIST CSF has become a standard baseline for various organizations to verify their physical and logical security posture to reduce overall attack surfaces. The current framework centers around five Category Families that correlate with multiple stages within the risk management process: Identify, Protect, Detect, Respond, and Recover. Additionally, each Category Family is broken down into subcategories and individual controls that assist organizations to analyzing and verifying their internal risk management capabilities.

Due to the overwhelming adoption of NIST CSF by organizations outside the critical infrastructure industry and the constantly evolving threat landscape, NIST has determined that the current framework must be expanded to better serve the needs of organizations seeking guidance. This expansion involves broadening the scope of NIST CSF so that its controls are more applicable to all types of organizations and improving the clarity of the framework’s objectives to provide security guidance for its audience more consistently. NIST intends to implement these updates in the framework’s most extensive refresh since its initial publication to make it more accessible and relevant to all organizations to verify their security maturity regardless of size, industry, sector, or country.

NIST CSF Version 2.0

NIST began community engagement activities in February 2022 to gather information and improve NIST CSF to better assist a wider variety of organizations. This process started by issuing a public Request for Information (RFI) which seeks input from various organizations and security personnel regarding the use of NIST CSF and recommendations for its improvement. In addition to analyzing RFI comments, NIST has hosted workshops to discuss points of interest and development opportunities for NIST CSF. These efforts have aided in creating  NIST CSF 2.0’s concept paper,  released in January of 2023.

The concept paper invited collaborators and organizations to provide input and advice regarding various subjects, and NIST is expected to incorporate such responses in the upcoming months. A draft document of CSF 2.0 is expected to be released Summer of 2023 before the finalized publication slated for Winter 2024.

Key Changes

The most significant change to NIST CSF aims to recognize the framework’s broad use and potential applications for a wider scope of organizations. CSF 2.0 will be renamed “Cybersecurity Framework” instead of the original “Framework for Improving Critical Infrastructure Cybersecurity” and will be adjusted to cover organizations across government, industry, and academia regardless of sector, type, or size. This will be done by broadening Functions and Categories specific to critical infrastructure (such as the Identity Function and Business Environment, Risk Strategy, and Access Control Categories) so they remain applicable to other types of organizations without sacrificing relevance to the original industry.

Expansion of Functions

NIST CSF 2.0 will expand considerations for multiple Functions to provide more guidance on identity management, incident response, and recovery activities.

Incident response and recovery capabilities are expected to be expanded on in CSF 2.0, along with a push to align such efforts with the Computer Security Incident Handling Guide and Guide for Cybersecurity Event Recovery. Additionally, updates to CSF’s identity management and access control category (PR.AC) will be explored, potentially reordering Subcategories to reflect the digital identity lifecycle more clearly.

NIST CSF 2.0 will also feature a new “Govern” Function to determine organizations’ priorities and risk tolerances, assess cybersecurity risks, establish cybersecurity policies and procedures, and understand cybersecurity roles and responsibilities.  The current Subcategories of NIST CSF covering governance activities will move into the new Govern Function, and related topics will be expanded to support government activities.

Importance of Supply Chain Risk Management

As supply chain cybersecurity risks become top risks to organizations, NIST CSF 2.0 will also aim to develop additional guidance for increasing trust and assurance in technology products and services. The following options are currently under discussion to determine the most effective approach for addressing cybersecurity supply chain risk management:

• Integrating supply chain risk management outcomes throughout the CSF Core Functions.
• Creation of a new Function focused on results related to supply chain risk management.
• Expanding security risk management outcomes within the current ID.SC Category in the Identity Function

NIST is actively collecting feedback on how best to incorporate supply chain risk management guidance.

Additional Reference Material

While other widely used cybersecurity- and privacy-related frameworks have relationships with NIST CSF, they will remain separate documents due to their specific and trustworthy guidance. However, NIST CSF 2.0 will account for these relationships with other frameworks and be referenced and used as guidance or companion materials. NIST CSF 2.0 Categories and Subcategories will be amended to incorporate guidance from such frameworks, including how they can be used when implementing CSF.

Such frameworks in consideration include the following:

• Risk Management Framework
• Privacy Framework
• National Initiative for Cybersecurity Education Workforce Framework for Cybersecurity
• Secure Software Development Framework

NIST has also launched the NIST Cybersecurity and Privacy Reference Tool (CPRT) to provide reference data from NIST cybersecurity privacy standards, guidelines, and frameworks. The CPRT will provide online, updatable references for NIST CSF 2.0 that will be adjusted as documents are updated.

NIST CSF 2.0 Next Steps

As the framework undergoes its most extensive refresh to date, properly preparing and validating such changes is crucial to maintaining acceptable compliance and maturity statuses. Tevora assists organizations of all sizes and industries currently using NIST CSF internally or seeking to implement the framework by assessing policies, procedures, tools, environments, and more to develop tailored security initiatives and consistently improve security postures. For questions regarding how Tevora’s services and team of specialists can assist in preparing for the upcoming NIST CSF changes, call 833.292.1609 or e-mail sales@tevora.com

Comments on CSF 2.0’s concept paper have been collected and are currently being analyzed by NIST for how best to proceed with CSF 2.0’s development. Multiple calls to action have been issued, inviting collaborators to provide further insights for NIST to consider before releasing the draft document in the Summer of 2023.

Once the draft document is released to the public, NIST will host a final workshop and a final round of comments before the finalized version of NIST CSF 2.0 is published.

We Can Help

If you have questions about any of the topics covered in this blog post, our team of experienced experts can help. Just give us a call at (833) 292-1609 or email us at sales@tevora.com.