NIST CSF: A “Fellowship” for Your Cybersecurity Journey to 2.0  | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

By Samuel Lewis, Senior Security Consultant  

The National Institute of Standards and Technology (NIST) released version 2.0 of the Cybersecurity Framework (CSF) on February 26, 2024. The original version was released in 2014, one year after Executive Order 13636 was signed on February 12, 2013. This executive order was written to improve critical infrastructure cybersecurity, streamline the sharing of threat information, and to drive action towards developing a cybersecurity framework. The original framework was established with five key functions: Identify, Protect, Detect, Respond, and Recover. Four years later, in April of 2018, CSF was updated to version 1.1. Since the release of CSF 2.0, there has been heightened interest in learning about the major differences introduced in this latest version. This blog explores three of the more significant changes.   

The Govern Function  

The introduction of the Govern Function or Golden Ring, if you will, is perhaps the most noticeable change. NIST has not formally stated this, but it could easily be described with this inscription, “One Ring to rule them all, One Ring to find them, One Ring to bring them all, and in the darkness bind them.* No, sorry. That is a story about an altogether different journey…let’s look at CSF 2.0.

This golden ring, more accurately called the Govern Function, is much less threatening than the ring that tempted characters in the Lord of the Rings…but in its own way, this new function is just as far-reaching. What NIST has officially stated about the Govern Function is that it should be used to achieve and prioritize the outcomes of the original five CSF functions. These functions remain a fundamental element from the original framework with a few minor changes to both the categories and subcategories. The Govern Function expounds upon some of the original concepts introduced in the earlier versions of CSF and elevates cybersecurity risk to a board-level concern, emphasizing that it is to be considered an enterprise risk that senior leadership must account for, much like finances and reputation.

Increased Scope 

The original scope and purpose of the CSF was to improve critical infrastructure cybersecurity while maintaining “a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” With the release of CSF 2.0, NIST has expanded its reach by stating that the guidance on managing cybersecurity risks now expands to include industry, government agencies and other organizations of all sizes, sectors, and maturity levels. This increased scope takes the framework from its original intent of protecting the nation’s critical infrastructure…to reaching far beyond Bilbo Baggins’ Shire and opening the doors for its use across all kinds of applications. NIST CSF 2.0 aims to safeguard not just critical infrastructure but to help organizations of all sizes effectively minimize risks, from the largest enterprises to corner bakeries and the “Mom and Pop” bicycle shops. All organizations can benefit from its guidance.

Reference Tool 

One of the more helpful additions to CSF 2.0 is the implementation of the NIST Cybersecurity Framework (CSF) 2.0 Reference Tool. Just as a map guided travelers through Middle-earth, the CSF 2.0 Reference Tool can assist organizations on their cybersecurity quest. Unlike a compass app, it goes beyond basic direction, offering a comprehensive guide for navigating the ever-evolving cybersecurity landscape.

NIST has never said a control must be met in a specific way, instead it provides online resources with several ways to achieve the goals. This reference tool provides examples of what fully implemented cybersecurity frameworks look like, helping remove some of the uncertainty organizations may feel. Each of the 106 subcategories of CSF 2.0 comes with one to ten implementation examples that explain the control’s purpose and provides an example of how to achieve it. These resources and examples are helpful to every professional looking to strengthen their cybersecurity posture, allowing them to discover what works best for their company.

Much like Frodo’s trek, the journey to a secure future requires strategic use of available tools. The three changes highlighted above are not the only changes that NIST rolled out with CSF 2.0, these are just some major milestones on a larger journey. There were also important additions regarding supply chain risk management within the Govern Function; the expectation that CSF 2.0, like previous versions, will be utilized globally; and the additional inclusion of informative references which map CSF 2.0 controls to CSF 1.1, Center for Internet Security (CIS) Controls v8, and multiple NIST Special publications. The three additions we focused on in this blog are just highlights, and none of the changes should be overlooked as they are all valuable keys to the creation of a stronger and more robust cybersecurity environment.

*From J.R.R. Tolkien’s book, The Fellowship of the Ring  

If you want to know more about NIST CSF 2.0 or if you have other cybersecurity questions, our experts are ready to assist.

About the Author 

Sam Lewis is a Senior Security Consultant at CISO Global with a long history of keeping things secure. While serving as a U.S. Marine, and later in the Army National Guard, Sam gained experience in electronic warfare/military intelligence systems integration, maintenance, and systems administration on multiple systems. But his interest in cybersecurity sparked in 2008, when learning about encryption standards while working with NORAD, as part of the Joint Air Defense Operations Center. Sam is a Certified Information Systems Security Professional (CISSP) and holds a Master of Science in Cybersecurity from Southern New Hampshire University.

The post NIST CSF: A “Fellowship” for Your Cybersecurity Journey to 2.0  appeared first on CISO Global.

*** This is a Security Bloggers Network syndicated blog from CISO Global authored by CISO Global. Read the original post at:


Click Here For The Original Source.

National Cyber Security