27 May 2024

What’s changed in the NIST Cybersecurity framework 2.0, and should you adopt it?

Discover the latest updates to NIST's cybersecurity framework, including the emphasis on senior leadership's role and its broader applicability to organizations beyond critical infrastructure. Learn about the key changes in Cybersecurity Framework (CSF) Version 2.0 and its implications for organizations, along with the benefits of adopting such frameworks for bolstering security.

The National Institute of Standards and Technology (NIST) has released a draft update to its cybersecurity framework, emphasizing the vital role of senior leadership in developing and implementing a robust cybersecurity strategy. With these enhancements, the updated draft Cybersecurity Framework (CSF) Version 2.0 moves from its original focus on critical infrastructure to encompass a wider range of organisations. NIST is seeking public feedback on the revised framework, referred to as Cybersecurity Framework (CSF) 2.0, with a submission deadline of November 4th. The final version of CSF 2.0 is anticipated to be published in early 2024.

This article will discuss the new changes to the framework, what it means for organisations seeking to adopt it, and the benefits of organisations adopting frameworks and standards for strengthening their security posture.

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework is a voluntary set of guidelines, standards, and practices designed with the aim of helping organisations manage and reduce cybersecurity risk. The Framework can be used by organisations to conduct a self-assessment of their cybersecurity risk, identify gaps in their cybersecurity practices and devise an action plan with a prioritised list of improvement. In addition to helping organisations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organisational stakeholders.

Originally targeted at critical infrastructure sectors, the NIST Framework has gained a wider appeal over the years, with organisations of various sizes and industries adopting it to improve their security posture. The comprehensive and customisable nature of the framework makes it an invaluable resource for organisations looking to strengthen their cybersecurity practices and minimise risks.

First published in February 2014, the Cybersecurity Framework (CSF) serves as a living document, providing organisations with guidance on comprehending, managing, mitigating, and conveying cybersecurity risks. NIST developed the CSF in response to the 2013 Presidential Executive Order (EO) 13636, titled "Improving Critical Infrastructure Cybersecurity." The framework underwent an update in 2018 with the release of Version 1.1, incorporating extensive input from the private sector. The latest official edition of the CSF reflects the continuous evolution of guidelines for addressing organisational cybersecurity risks.

New additions to the NIST Framework

The most significant change in the framework is the introduction of a new Govern function. In addition to the document’s five existing functions – Identify, Protect, Detect, Respond and Recover – Govern now adds an emphasis on the role that organisational leaders play in establishing and monitoring the organisation’s cybersecurity risk management strategy, expectations and policy. It covers the following categories:

  • Organisational context: the circumstances — mission, stakeholder expectations, and legal, regulatory, and contractual requirements — surrounding the organisation’s cybersecurity risk management decisions are understood.
  • Risk management strategy: the organisation’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions.
  • Cybersecurity supply chain risk management: these processes are identified, established, managed, monitored, and improved by organisational stakeholders.
  • Roles, responsibilities, and authorities: cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated.
  • Policies, processes, and procedures: organisational cybersecurity policies, processes, and procedures are established, communicated, and enforced.
  • Oversight: results of organisation-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy.

In addition to emphasizing senior leadership's role, the update broadens the framework's scope beyond critical infrastructure entities like hospitals or banking systems, making it applicable to organisations of any type or size. Reflecting this expanded scope, it has been renamed, 'The Cybersecurity Framework', replacing its previous title, 'Framework for Improving Critical Infrastructure Cybersecurity'.

The updates bring the NIST Framework closer to the standards set out in ISO 27001. This will make it easier for organisations that are already ISO 27001 accredited to adopt the NIST Framework, and vice versa. As with its change in title, this move could be an inducement for a wider range of organisations to adopt the CSF 2.0.

Choosing the right framework

If you are considering adopting a standard or framework for cybersecurity, consider first what framework is appropriate and applicable to your organisation. The choice of framework depends on factors such as organisational culture, familiarity with other frameworks or standards, regulatory requirements, and location.

For instance, federal government agencies are required by law to use the NIST framework to plan for and mitigate against cybersecurity risks. Equally, the U.S. Department of Defense mandates that contractors handling Covered Defense Information adhere to security requirements outlined in NIST Special Publication (SP) 800-171 — a collection of security controls complementary to the CSF. Consequently, aligning with NIST publications like the CSF is increasingly crucial for companies bidding for contracts with federal government agencies. For this reason, organisations with strong American ties may find the CSF 2.0 the most appropriate framework.

Across the Atlantic, the NCSC’s Cyber Essentials scheme is recommended for organisations of any size trying to establish a baseline for cyber security their cybersecurity practices. All UK businesses bidding for central government contracts which involve handling sensitive and personal information or the provision of certain technical products and services require a Cyber Essentials Certification.

Smaller organisations and SMEs in the UK, may wish to adopt the IASME Cyber Assurance standard. This standard was developed specifically with SMEs in mind, to offer a scalable approach to achieving cybersecurity maturity. Benefits of the IASME Cyber Assurance standard include:

  • Flexible and achievable cyber certification for small and medium enterprises (SMEs).
  • A pathway to compliance with GDPR and other UK-specific regulations.
  • Assurance of a cost-effective and pragmatic approach to cybersecurity.

Voluntary security frameworks such as NIST’s CSF, the IASME Cyber Assurance Standard and NCSC’s Cyber Essentials allow organisations to conduct a self-assessment, improve their cybersecurity practices and have their improvements independently verified. Cyber Assurance Level 2 includes an audit, while Cyber Essentials Plus requires organisations to undergo a technical audit to provide proof of their technical controls. While NIST has no official verification process for organisations to demonstrate compliance with its standards, Microsoft have contracted security accreditation companies to prove that Office 365 is secure according to the objectives specified in NIST’s CSF.

Is ISO a better choice?

Organisations wishing to receive an ISO 27001 certification must implement an information security management system (ISMS) that meets ISO 27001 standards, which is then independently audited by an accredited third party.

In terms of the practical guidance on improving information security and cybersecurity standards, there are many parallels between ISO 27001 and voluntary frameworks such as NIST, IASME Cyber Assurance Standard, and Cyber Essentials. However, there are a number of reasons why organisations may prefer to demonstrate compliance with ISO 27001:

  • Rigorous assessment by accredited third-parties ensures a high standard of information security management at the outcome.
  • Many organisations have a requirement for providers and partners to be ISO-certified.
  • The international recognition of ISO standards makes them more broadly applicable.

If your organisation already has the ISO 9001 certification, you might find it easier to add ISO 27001 or ISO 27701 for privacy compliance purposes.

Depending on the time and resources available, some organisations may wish to use a voluntary security framework to improve their baseline security standards, then later opt for an ISO certification. Other organisations already working towards ISO 27001 compliance may find it easier to adopt Cyber Essentials or NIST in the future, should the requirement arise when bidding for government contracts.

Organisations may also choose to implement ISO 27001 but not have it independently certified, until the need arises. While voluntary frameworks and ISO standards can be used as an internal tool to improve information security standards, they are ultimately more valuable to an organisation once they are verified, and thus can be used by the organisation to publicly demonstrate their information security standards.

Regardless of the chosen framework, the primary benefit of adoption is the establishment of a clear roadmap for methodically implementing security controls and processes that will strengthen your security posture.

Rather than a piecemeal or disjointed approach to implementing new security measures, frameworks equip organisations with clear guidance on how to prioritize cybersecurity improvements, support informed decision-making, and ensure backing from organisational leadership. Moreover, by setting out standards for where you organisation is currently, frameworks provide clear, practical steps for improvement, thus improving your organisation’s overall security posture over time.

For more information on achieving and maintaining security compliance, and how you can improve your organisation’s security posture and cyber resilience, book a 1-2-1 consultation below.