In its first major overhaul since 2014, the National Institute of Standards and Technology (NIST) updated its Cybersecurity Framework (CSF) on February 26, 2024. The updated 27-page CSF version 2.0 builds on version 1.1 and provides guidance to industry, government agencies, and other organizations on how to manage cybersecurity risks. While voluntary, the CSF has been a popular compliance resource within the private sector, both domestically and internationally, and has increasingly appeared in state and federal regulations as well as federal grants and grant incentive programs. The revised guidance, therefore, potentially has significant implications for organizations managing cybersecurity risks.
Version 2.0 is the result of a multiyear process reflecting discussion with and input from the public on how the CSF can better advise companies on how to identify, prevent, and recover from cyberattacks. Key developments in CSF 2.0 include:
- Expanded audience. While the prior CSF was primarily aimed at cybersecurity professionals working in organizations providing or supporting critical infrastructure like hospitals or power plants, CSF 2.0 is designed for all audiences regardless of sector, organization type, or cybersecurity sophistication. As such, 2.0 comes with a number of implementation examples and quick-start guides to better assist a diverse set of users in implementing NIST’s cybersecurity recommendations.
- Emphasis on governance. CSF 2.0 increases emphasis on governance with a new “Govern” core function, augmenting the existing Identify, Protect, Detect, Respond, and Recover functions. Govern encompasses how organizations make and carry out informed decisions regarding cybersecurity as a component within an organization’s broader enterprise risk management strategy.
- New tools. A suite of tools accompanies the updated framework intended to assist companies in implementing and customizing the CSF. For example, a new reference tool allows users to browse, search, and export data and details from the CSF’s core guidance. A new searchable catalog contains informative references that show how an organization’s current actions map onto the CSF, including the ability to cross-reference the CSF’s guidance onto other cybersecurity documents.
Putting It Into Practice: NIST intends to continue to update and enhance its resource to make the CSF as useful as possible to the broadest set of users. This will occur, in significant part, through community feedback and NIST hopes users will share their experiences and successes with NIST as they customize the CSF to fit their organizations.