NIST Cybersecurity Framework Version 2.0 Published

NIST Cybersecurity Framework Version 2.0 Published

09/05/2024

The US National Office of Standards and Technology (NIST) published Cybersecurity Framework (CSF) 2.0 on 29.02.2024. CSF is a framework that provides a way for organizations to better understand, manage and mitigate cybersecurity risks. This framework is an updated version of CSF 1.1.

CSF 2.0 Highlights;

NIST's cybersecurity framework (CSF) now explicitly aims to help all organizations manage and mitigate risks, no longer limited to organizations in critical infrastructure, which was its original target audience.

NIST has updated the CSF's core guidance, with a particular focus on governance and supply chains, and created a set of resources to help all organizations achieve their cybersecurity goals.

This update is the result of a lengthy discussion and public comment process aimed at making the framework more effective.

In response to numerous comments on the draft version, NIST has expanded the CSF's core guidance and developed related resources to help organizations get the most out of the framework. These resources are designed to provide customized entry paths for different audiences and make the framework easier to implement.

NIST added Governance as a sixth category to the five categories (Identify, Protect, Detect, Respond, Recover) previously included in version 1.1, covering how an organization can make and implement internal decisions to support its cybersecurity strategy. He emphasized that cybersecurity is an important source of risk to organizations and should be considered along with legal, financial, and other risks that need to be considered for top management.

The Changes in NIST CSF 2.0

There are some important differences and additions in the transition from version 1.1 to version 2.0 of the NIST Cyber Security Framework:

New Categories and Subcategories: New categories and subcategories have been added in NIST CSF 2.0. For example, the category "Supply Chain Risk Management" has been added as a subcategory.

Changes Focused on Digital Transformation and IoT: NIST CSF 2.0 focuses on new technologies such as digital transformation and the Internet of Things (IoT). It includes recommendations and security controls to ensure the security of these technologies.

Strengthening the Risk-Based Approach: NIST CSF 2.0 focuses on helping companies develop a customized security strategy through a risk-based approach. More emphasis is placed on risk management and risk assessment processes.

Increased Measurability and Evaluability: NIST CSF 2.0 places more emphasis on measurability and assessability. There are metrics and measurement tools to help companies measure their security performance and make continuous improvements.

These differences and innovations help companies develop their cybersecurity strategies with an up-to-date and comprehensive approach to the NIST Cyber Security Framework.

NIST CSF 2.0: Impacts on Companies and Implementation Requirement

These changes to the NIST Cybersecurity Framework may affect companies in different ways depending on their current security practices. The addition of new categories and subcategories may require organizations to re-evaluate their security controls and procedures. The risk management and assessment-oriented approach in NIST CSF 2.0 may force companies to devote more resources to risk management processes. In addition, the focus on digital transformation and IoT may require companies to update their security measures to consider new technologies and potential vulnerabilities.

Overall, the NIST Cybersecurity Framework 2.0 offers companies a more comprehensive and customizable approach to cybersecurity. However, implementing the new guidelines may require additional investments in training, technology and personnel to respond to the changes.

Get in Touch