NIST 2.0 Framework
NIST, the National Institute of Standards and Technology of the U.S. Department of Commerce, recently published a public draft of the new NIST Cybersecurity Framework (NIST CSF or NIST Framework) - version 2.0.
NIST helps businesses to better understand, manage, and reduce their cybersecurity risk and protect their networks and data.
The original NIST Framework (as well as the updated NIST 2.0 Framework) is voluntary and gives businesses an outline of the best practices for cybersecurity. The NIST Framework has been used widely to reduce cybersecurity risks since its initial publication in 2014, and many organizations use the NIST CSF as an effective framework for addressing cybersecurity risks.
Contents
NIST vs NIST 2.0: Main differences
The new "Govern" function
The structure of NIST 2.0
NIST 2.0 increases clarity and guidance on implementation
NIST 2.0 categories
NIST 2.0 Framework Profile
How does NIST CSF 2.0 relate to other Frameworks and resources
How to use the NIST 2.0 Framework
NIST vs NIST 2.0: Main differences
The main differences between the NIST Framework and NIST 2.0:
-
The title is shortened to “Cybersecurity Framework” from the original “Framework for Improving Critical Infrastructure Cybersecurity” to reflect broader usage.
-
The scope of the Framework has been updated to reflect use by all organizations. The original emphasis was on critical infrastructure. Now, the narrative and the core have been modified to focus on all organizations. Guidance extended to organizations of all sizes, sectors, and levels.
-
The original emphasis on securing U.S. critical infrastructure has been modified to focus on organizations all around the world to reflect the broad and international use of the Framework.
The new "Govern" function
In the new NIST 2.0, the number of functions grew from five to six, and a new "Govern" function was added.
The "Govern" function is at the foundation of all the other five functions, emphasizing that cybersecurity is not a standalone concern but an integral part of enterprise risk management.
"Govern" covers:
-
organizational context,
-
risk management strategy,
-
cybersecurity supply chain risk management,
-
roles, responsibilities, and authorities,
-
policies, processes, and procedures,
-
and oversight.
The 2.0 Framework also offers new guidance on integrating the Framework with the NIST Privacy Framework and enterprise risk management as discussed in NIST IR 8286.
The focus on people, processes, and technology is expanded throughout the implementation of the Framework.
The structure of NIST 2.0
The "Outcomes" section (previously under "Identify") is moved to "Govern" and includes several new categories. It elevates the importance of governance, aligning cybersecurity with overall enterprise risk.
From the previous 23 categories in NIST, the new NIST 2.0 Framework has one less - 22 categories. The number of subcategories also decreased, becoming 106 from the previous 108.
The five original functions (Identify, Protect, Detect, Respond, and Recover) were revised to enhance clarity and relevance, and governance-related components were moved to the new "Govern" function. In addition, key goals for each function are now outlined.
The restructuring aims to facilitate a more coherent and interconnected approach to cybersecurity, acknowledging that these functions are not linear steps but rather interdependent components of a comprehensive cybersecurity strategy.
NIST 2.0 increases clarity and guidance on implementation
The key implementation-related changes include:-
The section "Implementation Examples" was added to provide examples of action-oriented processes.
-
The "Framework Profiles" guidance was revised significantly and expanded to provide guidance for using "Profiles" and to illustrate purposes for "Profiles".
-
The "Notional Templates" were developed so organizations can use or adapt them for creating their "Profiles" and action plans.
Examples and step-by-step instructions
NIST CSF 2.0 provides in-depth examples of "Profiles" and detailed steps for their creation and use, helping organizations use the Framework effectively to address their unique cybersecurity needs and objectives.
Profile templates
Appendix A offers a "Profile Template" to help organizations create "Profiles" that will help them achieve the outcomes detailed in the "Core". A list of additional elements that can be incorporated into an organization's profile enhances its utility.
Information on cybersecurity assessment was updated with new pointers to NIST SP 800-55. Tiers were clarified to focus on cybersecurity governance, risk management, and third-party considerations. The importance of continuous improvement is emphasized through a new "Improvement" category in the "Identify" function as well as improvements in guidance on developing and updating "Profiles" and action plans.
NIST 2.0 categories
The "Govern" function is now the largest function, and its categories are:
-
Organizational Context
-
Risk Management Strategy
-
Cybersecurity Supply Chain Risk Management
-
Roles, Responsibilities & Authorities
-
Policies, Processes & Procedures
-
Oversight
Many of the categories were renamed or moved to a different function. Here's an overview of the key changes:
-
Business Environment, Governance, Risk Management Strategy, and Supply Chain Risk Management are now moved to the Govern function. The Business Environment got a new name too, now being Organizational Context.
-
More name changes include Identity Management & Access Control now being Identity Management, Authentication & Access Control.
-
Information Protection Processes & Protocol is now relocated and shared between three functions: Govern, Identify, and Protect. Maintenance is relocated into Identify and renamed into Asset Management.
-
Detection Processes was previously in Detect, but it is now shared between three different functions: Govern (renamed into Roles, Responsibilities & Authorities), Identify (renamed into Improvement), and Detect (renamed into Adverse Event Analysis).
-
Response planning is now Incident Management.
-
Improvements from Respond and Recover are now joined into one category and moved to Identify.
NIST 2.0 Framework Profile
The Framework’s mechanism for describing an organization’s current or target cybersecurity posture in terms of the Core’s outcomes is called a "Framework Profile (Profile)".
There are two types of Profiles:
-
A "Current Profile" covers the Core outcomes, that an organization aims to achieve, and characterizes how or to what extent each outcome is being achieved.
-
A "Target Profile" covers the desired outcomes that an organization has selected and prioritized from the Core to achieve its cybersecurity risk management objectives. A Target Profile takes into account anticipated changes to the organization’s cybersecurity posture, such as new requirements, new technology adoption, and cybersecurity threat intelligence trends.
How does NIST CSF 2.0 relate to other Frameworks and resources?
NIST reviewed updates to resources published in recent years to identify changes to the narrative and Core of the Framework. This review includes new references to the NIST Privacy Framework, NICE Workforce Framework for Cybersecurity (SP 800-181), Secure Software Development Framework (SP 800-218), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (SP800-161r1), Performance Measurement Guide for Information Security (SP 800-55), Integrating Cybersecurity and Enterprise Risk Management (NIST IR 8286) series, and the Artificial Intelligence Risk Management Framework (AI 100-1).
In the future, NIST will release an online tool on the NIST CSF website to host the NIST CSF 2.0 Core, with human- and machine-readable formats. This new tool will allow organizations to see the relationships between the Core and updatable Informative References.
How to use the NIST 2.0 Framework
The Framework can be used in many ways. Its use varies based on an organization’s unique mission and risks. Organizations can:
-
Create and use "Framework Profiles" to understand, assess, and communicate the organization’s current or target cybersecurity posture in terms of the Framework Core’s cybersecurity outcomes, and prioritize outcomes for achieving the target cybersecurity posture. (Section 3.1)
-
Assess the organization’s achievement of cybersecurity outcomes. (Section 3.2)
-
Characterize cybersecurity risk management outcomes with Framework Tiers. (Section 3.3)
-
Improve cybersecurity communication with internal and external stakeholders. (Section3.4)
-
Manage cybersecurity risk throughout supply chains. (Section 3.5)
The Framework helps facilitate communications about cybersecurity with external parties, including an organization’s supply chain. An organization can use the Framework to:
-
Express its cybersecurity risk management requirements to an external service provider (e.g. a service provider with which it is exchanging data) through a "Target Profile".
-
Report on the status of cybersecurity requirements (e.g. to a government regulator), which makes it easier to review requirements as part of a broader risk management strategy.
-
Better understand its cybersecurity posture in light of systemic risks.
-
Identify cybersecurity priorities for a sector.
-
Determine the extent to which risk management processes, integration, and information sharing fulfill stakeholders’ expectations.
-
Share high-level information on cybersecurity practices with prospective customers, business partners, and others who may need to understand the organization’s cybersecurity posture before engaging with the organization.
-
Define shared responsibility models with cloud service providers.
The Framework can be used to foster an organization’s oversight and communications related to cybersecurity risks with stakeholders across supply chains.
Discover, address, and reduce your SSH-related cybersecurity risks with SSH Risk Assessment
SSH Risk Assessment is a professional, expert service offered by SSH Communications Security. The goal is to determine what security risks and vulnerabilities exist due to SSH keys in your IT environment and how you can meet your specific compliance requirements.
After scanning your environment, our experts analyze the results and provide you with a detailed custom report that:
-
Discovers SSH keys in your network.
-
Identifies privileged access management (PAM) bypass.
-
Identifies vulnerable SSH keys that violate policies and regulations.
-
Collects relevant information to help you gain SSH compliance and pass your IT audits.
-
Provides custom recommendations.
Learn more about our SSH Risk Assessment >>>