NIST Publishes NIST Cybersecurity Framework 2.0

NIST Cybersecurity Framework 2.0 Officially Released

NIST releases Cybersecurity Framework 2.0, the first major update since the creation of the CSF a decade ago.

NIST on Monday announced the official release of version 2.0 of its Cybersecurity Framework (CSF), the first major update since its creation a decade ago.

The cybersecurity framework was originally aimed at critical infrastructure organizations, but it has been widely used and widely recommended and NIST highlighted that CSF 2.0 is designed to help all organizations reduce risks, regardless of sector, size, or level of security sophistication.

Based on the feedback it received on the draft of the Cybersecurity Framework 2.0, NIST expanded the core guidance and created additional resources to help organizations use the CSF to its full potential.

The CSF 2.0 supports implementation of the National Cybersecurity Strategy and it’s organized around six key areas: identify, protect, detect, respond, recover and govern. The govern function was introduced with this major update of the CSF.

“The addition of the Govern function provides a vital and previously missing piece to the NIST Cybersecurity Framework, important to critical elements such as risk management,” Robert Booker, chief strategy officer at HITRUST, a contributor to the development of CSF 2.0, said via email.

Users are provided implementation examples and quick-start guides that are tailored to their specific needs.

The CSF 2.0 also offers a searchable catalog of references that enables organizations to map guidance to over 50 other relevant cybersecurity documents.

The first major version of NIST’s cybersecurity framework is available in over a dozen languages and volunteers from around the world will likely translate CSF 2.0 as well.

“The CSF has been a vital tool for many organizations, helping them anticipate and deal with cybersecurity threats,” said NIST Director Laurie E. Locascio. “CSF 2.0, which builds on previous versions, is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve.”

Katherine Ledesma, head of public policy & government affairs at industrial cybersecurity firm Dragos, has made some interesting comments on the implications and benefits for organizations with industrial control systems (ICS) and operational technology (OT) systems.

“Similar to the National Cybersecurity Strategy released last year, the CSF 2.0 continues to move the conversation from cybersecurity investment as a cost center to cybersecurity investment as a way not only to protect but also support business operations, particularly when it comes to ICS and OT cybersecurity. This is important to manufacturing facilities that need to maintain safe, continuous operation, as well as for electric or water utilities that need to provide reliable, essential services to communities,” Ledesma told SecurityWeek.

“Although the CSF 2.0 identified that functions, categories, and subcategories are intended to be broad enough to apply to both IT and OT environments, as the dialogue around the CSF and related guidance continues, we will see specific attention paid to the distinct approaches needed to protect ICS/OT, given the unique purposes of and risks to those types of systems. This includes continuing to update documents such as the Guide to OT Security, and also incorporation of these concepts into broader planning and guidance documents,” Ledesma added.

What is the scope of the CSF 2.0?

NIST outlined that the CSF 2.0 supports the implementation of the National Cybersecurity Strategy, and consequently has expanded the scope beyond critical infrastructure to include all organizations, including industry, government, academia, and non-profit organizations. However, the CSF 2.0 recognizes that each organization has common and unique risks, as well as varying risk appetites and tolerances. Specifically, the CSF 2.0 should be used to address cybersecurity risks alongside others, such as financial, privacy, technological, and physical risks.

What are the objectives of the CSF 2.0?

The CSF 2.0 clarifies that it describes desired outcomes intended to be understood by a broad audience, mapping outcomes directly to a list of potential security controls for immediate consideration. The CSF 2.0 details that a series of Quick Start Guides (QSGs) are available for the application of the CSF 2.0.

The CSF Core functions as a taxonomy of high-level cybersecurity outcomes that can help any organization manage its cybersecurity risks, with related categories and subcategories for each outcome. CSF Organizational Profiles serve to describe an organization’s current and/or target cybersecurity posture, while the CSF Tiers can be applied to characterize the rigor of an organization’s cybersecurity risk governance and management practices.

What is the new content of the CSF 2.0?

The CSF 2.0 provides that it now contains information on governance and supply chains, with consideration also given to the implementation of the CSF by small organizations as well as large organizations. Implementation examples and information references are noted by the CSF 2.0 to be provided by NIST.


Click here for the full NIST press release.

Click here for the NIST Cybersecurity Framework 2.0.

Click  here for the NIST Cybersecurity Framework 2.0 Reference Tool.