What is the NIST CSF 2.0

Changes are coming to the NIST CSF framework in the 2.0 release. The update includes several improvements which enable businesses to build effective controls and ultimately strengthen the foundation of their security program.

What is NIST?

The National Institute of Standards and Technology (NIST) is part of the U.S. Department of Commerce to foster industrial and technological advancements. It also sets standards for science and technology. NIST is known for creating a framework of standards, guidelines, and best practices to help businesses and organizations manage their cybersecurity risk.

What is the NIST CSF?

What’s new in CSF 2.0?

The NIST CSF 2.0 draft just closed to comments on November 6, 2023. This means it is one step closer to its final form which will be released in early 2024.

The Govern Function

One of the most notable changes in the CSF 2.0 is the addition of a sixth function, govern. It’s placement in the center of the wheel is important because it’s intended to inform organizations how to implement the other 5 functions. Governance was previously buried throughout the other functions and now serves as the foundational function to help an organization establish and monitor their cybersecurity risk management strategy, expectations, and policies.

In effect, the govern function has been elevated by NIST and expands on the importance of governance. There is a message being sent that cybersecurity is a major source of business risk and should be treated in the same manner when evaluating legal, financial, and other risks. This includes processes for establishing, communicating, and evaluating a cyber risk management strategy.

Profiles for Different Use-Cases and Industries

NIST CSF was originally developed to guide critical infrastructure entities in the U.S. CSF 2.0 now expands the audience to a larger group of sectors from schools, small businesses, and local governments. Due to the expansion, profiles have been created which tailor the CSF for particular situations. This includes implementation examples for each function’s subcategories to help organizations, especially smaller ones, to use the framework effectively.

• NIST IR 8183 - Cybersecurity Framework Manufacturing Profile

• NIST IR 8183r1 - Cybersecurity Framework Version 1.1 Manufacturing Profile Rev. 1

• NIST IR 8310 (Draft) - Cybersecurity Framework Election Infrastructure Profile

• NIST IR 8323 Revision 1 - Foundational PNT Profile: Applying the Cybersecurity Framework for the Responsible Use of PNT Services

• NIST IR 8374 - Ransomware Risk Management: A Cybersecurity Framework Profile

• NIST IR 8406 - Cybersecurity Framework Profile for Liquefied Natural Gas

• NIST IR 8441 (Draft) - Cybersecurity Framework Profile for Hybrid Satellite Networks (HSN)

• NIST IR 8467 (Draft) - Cybersecurity Framework Profile for Genomic Data

• NIST IR 8473 - Cybersecurity Framework Profile for Electric Vehicle Extreme Fast Charging Infrastructure

• NIST TN 2051 - Cybersecurity Framework Smart Grid Profile

• How to Use the Cybersecurity Framework Profile for Connected Vehicle Environments – U.S. Transportation

  • Cybersecurity Framework Profile Excel for Connected Vehicle Environments – U.S. Transportation

• Cybersecurity Framework Botnet Threat Mitigation Profile - Cybersecurity Coalition

• Cybersecurity Framework DDoS Threat Mitigation Profile - Cybersecurity Coalition

• The Profile - Cyber Risk Institute

• Framework Payroll Profile - IRS Security Summit

• Cybersecurity Framework Profile: White House Fact Sheet - Seemless Transition

How Can We Help?

If your organization is interested in building a program which incorporates the NIST CSF, we’re here to support you. You can connect with us at contact@arkangelos.com to schedule a brief chat to understand your vision and goals. We’re excited to hear from you!