NIST Cybersecurity Framework 2.0 Reveals Major Shifts In Federal Guidance – Security | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

To print this article, all you need is to be registered or login on

On February 26, 2024, the National Institute of Standards and
Technology (NIST) released the Cybersecurity Framework version 2.0 (CSF 2.0).
CSF 2.0 is a generational update to NIST’s foundational
cybersecurity guidance, which was last updated in April 2018 (version 1.1) (CSF 1.1). Risk governance and
supply chain risk management comprise the most significant changes
from CSF 1.1 to 2.0. In this blog post, we look at what the CSF 2.0
means for organizations, and what executives and cybersecurity
professionals should be thinking about as they integrate this new
guidance into existing cybersecurity risk management programs. We
note that NIST is also seeking public comments on a guide for
developing Community Profiles by May 3, 2024.

What is the CSF?

CSF 2.0 is the culmination of years of collaborative work between NIST, the
private sector, and other government agencies around the world.
Like its predecessor, CSF 2.0 is intended to provide risk-based,
flexible guidance for organizations to manage cybersecurity risks.
It outlines a set of cybersecurity activities, outcomes, and
informative references that are common across organizations.
Although not intended by NIST to be a maturity model, many
organizations use the CSF to measure their security programs and
gauge their progress in implementing cybersecurity risk management

The CSF 2.0 has multiple components: a “Framework
Core,” “Implementation Tiers,” and “Framework
Profiles,” along with guidance on mapping the CSF 2.0 to other
resources, and a discussion of how to use the CSF to communicate
internally and externally to an organization, its suppliers, and
partners about risk management. The Framework Core (see graphic
below) describes a set of cybersecurity outcomes, organized by
Function, Category, and Subcategory.


What has changed between CSF 1.1 and CSF 2.0?

The biggest structural change made from CSF 1.1 to CSF 2.0 is
the addition of a new Function: Govern. CSF 2.0 also reorganizes,
adds, and/or edits several Categories and Subcategories. The new
Govern Function contains the most significant additions and
reorganizations in a new Category focused on cybersecurity supply
chain risk management (C-SCRM). This new material reflects evolving
expectations about third-party and supply chain risk management,
adding outcomes for due diligence, assessment of business partners
for criticality, and lifecycle management. CSF 2.0 also adds new
outcomes on protecting against unauthorized software and
integrating secure software development practices.

NIST has also developed new and updated explanatory materials to
accompany the CSF 2.0, including Profile templates, “quick
start guides” for creating different types of Profiles, and
explanatory material around Tiers and using CSF 2.0 for C-SCRM and
Enterprise Risk Management. NIST is also seeking public comments on a guide for
developing Community Profiles (i.e., mapping the CSF 2.0 to an
industry sector, organization type, or other profile intended to be
used by various organizations such as sector agencies, industries,
or trade associations to address sector specific risks). NIST has
also built new functionality into the online resource
Informative References and has added Implementation Examples that are intended to
provide illustrations and explanations of how an organization might
implement the Subcategories.

What Should Organizations Be Doing Now with CSF 2.0?

Many organizations use the CSF as a baseline for their
cybersecurity risk management programs. Now is the time to update
risk management frameworks and internal programs to match the new
content and organization of CSF 2.0. Organizations should examine
the CSF 2.0 and incorporate new and amended material to the extent
it is relevant to that organization. The CSF 2.0 reflects evolving
expectations around governance, supply chain risk management, and
secure software development—these should be focus areas for
updating the scope and content of existing risk management
programs. Organizations should also consider how the CSF 2.0
guidance interacts with new federal requirements, such as cyber governance disclosures and incident reporting
for Securities and Exchange Commission filers, cyber incident reporting for critical
infrastructure (pending a rulemaking from the Department of
Homeland Security’s Cybersecurity and Infrastructure Agency),
and evolving federal guidance on supply chain risk management and secure
software development.

Will the CSF 2.0 Be the Baseline for Future Cybersecurity

There is increasing interest from the U.S. government in
establishing mandatory cybersecurity baselines for regulated
companies. The National Cybersecurity Strategy Implementation Plan tasks NIST with helping
agencies align regulations with the CSF and other international
standards. The Federal Communications Commission (FCC), for
example, has begun to require recipients of certain FCC program
funding to submit and certify cybersecurity risk management plans
that are based on the CSF.

Regardless of industry sector, companies should review the CSF
2.0, incorporate the changes into their cybersecurity risk
management activities, and consider how they might need to adapt or
expand those activities if required by a regulator to demonstrate
adoption of the CSF 2.0. Building an individual or Community
Profile using NIST’s guidance is one way to examine how CSF 2.0
outcomes would be applied and prioritized for a particular company,
industry, or sector. There is a fundamental tension between
NIST’s flexible, intentionally non-regulatory approach to the
CSF and establishing it as a regulatory baseline. Companies should
be prepared to advocate to sector regulators how to retain the
benefits of the CSF’s flexible and risk-based approach that
allows outcomes to be tailored for a company’s unique threat
picture, operations, and capabilities.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Technology from United States

Ankura CTIX FLASH Update – February 16, 2024

Ankura Consulting Group LLC

A new trojan for iOS and Android has been discovered that uses its capabilities to scan the victim’s face for apparent use in future deepfakes. The trojan, named “GoldPickaxe”…

AI & Patents: USPTO Issues Guidance

Buchanan Ingersoll & Rooney PC

As Artificial Intelligence (AI) continues to develop, it is increasingly being used to aid in developing new products and processes.


Click Here For The Original Source.

National Cyber Security