A Security Leader’s Guide to the NIST Cybersecurity Framework (CSF) 2.0

Introduction

It’s not surprising that every blog or whitepaper you read today about cybersecurity revolves around ransomware. It’s tiresome (we know!), but it has become the biggest threat to organizations of all sizes and targets our most critical infrastructures like healthcare. It’s a game of cat and mouse, and as new threats emerge, security teams have to adapt to keep up.

The role of Security Information and Event Management (SIEM) systems and Security Operations Center (SOC) teams has had to change in response to the current threat landscape. While SIEM and SOC teams were initially focused on detecting and responding to traditional security threats like open ports and Common Vulnerabilities and Exposures (CVEs), the rise of new threats like ransomware and ransomware-as-a-service has required a shift in approach.

Ransomware attacks have become increasingly sophisticated and often leverage social engineering tactics, phishing, and AI to exploit zero-day vulnerabilities. These attacks bypass traditional security controls and quickly encrypt critical data, which can cause significant business disruption and financial losses. Relying on SIEM alone isn’t enough!

Considering this evolution in today’s threat landscape, security frameworks have also had to evolve to keep up with new and emerging threats. Newer frameworks incorporate methodologies like Zero Trust, which takes security best practices beyond adopting least-privilege access and extends it to the application, network and its data as well.

One framework that has been foundational for security leaders is the NIST Cybersecurity Framework (CSF). This framework was originally developed in response to a presidential executive order in the U.S. in 2013 that called for the development of a voluntary risk-based cybersecurity framework that would provide a prioritized, flexible, and cost-effective approach to managing cybersecurity risk for critical infrastructure organizations.

The latest update to the NIST CSF 2.0 marks a significant evolution in the standardized approach to cybersecurity by reflecting these shifting paradigms in a world where digital threats are increasingly complex and pervasive.

This update is significant since it not only encapsulates the latest best practices and security principles that help counteract emergent cyberthreats, but also offers a forward-thinking and adaptable blueprint for organizations to safeguard their digital ecosystems. NIST CSF 2.0 recognizes the intricate interplay between cybersecurity, privacy, and business operations and aims to enhance organizational resilience across all sectors.

By integrating new insights and technology trends like cloud computing, AI, and the Internet of Things (IoT), this framework ensures your relevance in the face of rapid digital transformation. It also underscores the criticality of securing your supply chain and the importance of having a collaborative security posture that extends beyond individual organizational boundaries. In doing so, NIST CSF 2.0 is not just a tool for maintaining you cyber hygiene but a strategic asset that enables organizations like yours to navigate the complexities of today’s cyber terrain. This means it can help foster a proactive culture of comprehensive risk management and continuous improvement in the industry as a whole.

NIST CSF 2.0

Version 2.0 of the CSF released in February 2024 builds upon previous versions and introduces some key enhancements and additions. The core of this CSF is organized around six main functions that represent the key pillars in the lifecycle of an organization’s cybersecurity risk management. These functions are as follows:

• Identify: Develop an organizational understanding of managing cybersecurity risk of systems, people, assets, data, and capabilities. This includes identifying critical business processes and key assets, including their vulnerabilities and threats.
• Protect: Implement appropriate safeguards to ensure critical service delivery and limit or contain the impact of potential cybersecurity incidents. This covers areas like identity management, access control, data security, and protective technology.
• Detect: Implement measures to identify the occurrence of cybersecurity incidents in a timely manner. Continuous monitoring and threat detection are key capabilities with this function.
• Respond: Take action when facing a detected cybersecurity incident. This includes incident response planning, analysis, mitigation, and communication.
• Recover: Maintain plans for resilience and restore capabilities or services that were impaired due to a cybersecurity incident. Timely recovery to normal operations is the goal.
• Govern (new!): This new function in CSF 2.0 focuses on the overall management and governance of cybersecurity risk. Here, organizations establish their cybersecurity risk management strategy, policies, and oversight, including defining roles and responsibilities and integrating cybersecurity into enterprise risk management.

With these six functions as a foundation, CSF 2.0 provides a robust yet flexible framework to help organizations understand, manage, and communicate their cybersecurity risks and strengthen their defenses. The addition of the “Govern” function reflects the growing importance of cybersecurity governance and tighter integrations with enterprise risk management.

While the five original functions (Identify, Protect, Detect, Respond, and Recover) have been retained, they have undergone updates to reflect the changing cybersecurity threats and practices. Governance-related elements have been moved to the new “Govern” function, and the primary objectives of each function are now clearly defined. This restructuring aims to facilitate a more cohesive and interconnected approach to cybersecurity by recognizing that these functions are interdependent components of a comprehensive cybersecurity strategy, rather than sequential steps.

Key changes include:

1. CSF 2.0 extends its applicability beyond critical infrastructure sectors. The revised framework is designed to benefit all organizations, regardless of size or industry, thus making the guidelines more universally relevant.
2. The addition of the “Govern” function is a significant enhancement in CSF 2.0. This function elevates the core objectives of accountability and transparency while also serving as a unifying force that helps organizations prioritize and achieve the goals outlined in the other five. It emphasizes integrating cybersecurity into overall enterprise risk management rather than treating it as a standalone concern. The oversight component of the “Govern” function is particularly useful for organizations when complying with regulatory frameworks. Frameworks like SEC regulations stress increased accountability for boards of directors senior management when making decisions related to cybersecurity.
3. CSF 2.0 also places a stronger emphasis on managing cybersecurity risks in the supply chain. New controls have been introduced to integrate supply chain risk management throughout an organization’s cybersecurity program, which highlights the importance of securing the entire ecosystem of partners, vendors, and service providers.

These enhancements in NIST CSF 2.0 provide organizations with a more comprehensive and adaptable framework to use when navigating the complex current cybersecurity landscape. By expanding its scope, introducing the “Govern” function, updating its core functions, and emphasizing supply chain risk management, CSF 2.0 equips organizations with the tools and guidance they need to strengthen their cybersecurity posture and build resilience in the face of evolving threats.

Users of this framework are now also given implementation examples and quick-start guides that are tailored to their specific needs. This includes a searchable catalog of references via the reference tool  that allow organizations to map guidance to over 50 other relevant cybersecurity documents.

Implementing NIST CSF 2.0: Steps for Success

For organizations that already use the NIST Cybersecurity Framework 1.1, transitioning to CSF 2.0 is a natural next step. The updated framework builds upon the foundation of its predecessor while introducing enhancements that reflect the ever-changing cybersecurity landscape.

Here’s a step-by-step guide to help organizations implement CSF 2.0, whether you’re new to the framework or upgrading from a previous version.

Step 1: Understand the Framework

Start by gaining a comprehensive understanding of CSF 2.0, including its core functions: Identify, Protect, Detect, Respond, Recover, and Govern. Pay special attention to the changes and additions in version 2.0, such as the increased focus on cybersecurity governance and supply chain risk management.

Step 2: Conduct a Gap Analysis

Assess your organization’s current cybersecurity practices against CSF 2.0 to identify gaps and areas for improvement. Map your existing controls and processes to the framework’s categories and subcategories. For organizations that already use the NIST CSF 1.1, this is a good opportunity to re-evaluate your cybersecurity posture in light of the new updates.

Step 3: Set Priorities

Prioritize actions and initiatives based on the findings of your gap analysis while considering your organization’s business objectives, risk appetite, threat landscape, and regulatory requirements. Focus on addressing the most critical gaps and aligning your cybersecurity efforts with the new “Govern” function and updated core functions.

Step 4: Create a Target Profile

Develop a target profile that defines the desired state of your organization’s cybersecurity program based on the outcomes outlined in CSF 2.0. This profile should be informed by your organization’s risk assessment, business needs, and priorities identified in the previous step. If you’re transitioning from a previous version of the NIST CSF, your target profile should incorporate the new and updated elements of CSF 2.0.

Step 5: Implement an Action Plan

Develop and execute an action plan to close the gaps between your organization’s current profile and target profile. Ensure that adequate resources including budget, personnel, and technology are allocated to support your implementation. Engage stakeholders across the organization to foster collaboration and buy-in.

Step 6: Continuous Improvement

Recognize that cybersecurity is an ongoing journey rather than a destination. Continuously monitor your organization’s progress against CSF 2.0 and regularly reassess your cybersecurity posture to adapt to an evolving threat landscape. Conduct periodic reviews and update your target profile as needed to ensure alignment with changing business priorities and regulatory requirements.

Step 7: Train and Educate

Invest in training and awareness programs to ensure that all your stakeholders — from senior executives to front-line employees — understand their roles and responsibilities within the CSF 2.0 framework. Communicate your organization’s cybersecurity policies, procedures, and best practices clearly and consistently. If you’re transitioning from a previous version of the NIST CSF, highlight the key changes and new expectations introduced in CSF 2.0.

Step 8: Leverage the CSF 2.0 Reference Tool

Take advantage of the resources provided by NIST like the CSF 2.0 Reference Tool to guide your implementation and ensure your alignment with the framework’s latest updates. Be sure to engage with the NIST cybersecurity community to share experiences, learn from peers, and stay informed about emerging best practices and trends.

Remember that implementing NIST CSF 2.0 is not a one-size-fits-all process. Each organization must tailor its approach to its unique needs, risk profile, and business context. By following these steps and fostering a culture of continuous improvement and collaboration, organizations like yours can leverage CSF 2.0 to strengthen their cybersecurity posture and build resilience in the face of evolving cyberthreats.

Conclusion

NIST CSF 2.0 represents a significant milestone in the evolution of cybersecurity risk management and the fight against evolving threats. By building upon the solid foundation of CSF 1.1 and introducing key enhancements like the “Govern” function and a heightened focus on supply chain risk management, CSF 2.0 provides organizations with a more comprehensive and adaptable framework to help them navigate the ever-changing cybersecurity landscape.

The expanded scope of CSF 2.0 ensures that organizations of all sizes and sectors can benefit from its guidance, thus fostering a more inclusive and collaborative approach to cybersecurity. The updated framework recognizes that effective cybersecurity risk management requires the active involvement and commitment of stakeholders across the organization, ranging from senior executives to front-line employees.

Ultimately, the success of implementing NIST CSF 2.0 relies on building a culture of cybersecurity awareness, collaboration, and accountability. By investing in training and education programs, organizations can empower their workforce to become active participants in the cybersecurity risk management process. Clear communication and consistent reinforcement of cybersecurity policies and best practices are essential in creating a shared sense of responsibility and vigilance.

As we look forward, it is evident that cybersecurity will continue to be a critical priority for organizations worldwide. The increasing sophistication and frequency of cyberthreats coupled with the growing reliance on digital technologies underscore the need for robust and agile cybersecurity frameworks like NIST CSF 2.0. By embracing the updated framework and committing to its ongoing implementation, organizations can strengthen their resilience, protect their assets, and maintain the trust of their stakeholders in the face of evolving cyber risks.

To find our more about Veeam’s approach to radical resilience in a world of cyberthreats, watch our on-demand demo session.