Article
NIST publishes major revision to Cybersecurity Framework (CSF): What organizations need to know
May 31, 2024 · Authored by Mike Cullen, Eric Cortese
What is NIST CSF?
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a risk-based approach to managing cybersecurity risk across an organization. It provides organizations with leading practice guidelines to implement or enhance an effective cybersecurity program.
What happened to NIST CSF?
NIST CSF 1.0 was released in 2014 to help critical infrastructure organizations better protect their data and systems from cyber threats. Over the last decade, organizations in all industries and with varied missions and objectives, not just critical infrastructure organizations, adopted NIST CSF as the foundation of their cybersecurity programs. As with all NIST guidance on cybersecurity, NIST reviewed the use of CSF and solicited feedback for enhancements from the public. In 2024, NIST released a new version, NIST CSF 2.0, to address the evolving cybersecurity landscape.
What are the major changes from 1.0 to 2.0?
Added a fifth function (i.e., domain) to address governance
Cybersecurity is not solely an information technology issue. To that extent, NIST CSF 2.0 has put a stronger focus on governance, highlighting that cybersecurity is a significant enterprise risk, like a financial risk or reputational risk. Cybersecurity strategies and decision making should be considered alongside other strategic decisions.
Added more details on cybersecurity supply chain risk management
As more organizations move systems and data to vendor hosted and cloud systems, cyber risk management changes what and how protections are applied. With NIST CSF 2.0 there is an emphasis on cybersecurity supply chain risk management and secure software development. The new emphasis guides organizations to identify technology suppliers/third parties, determine the criticality and risk of those supply chain partners, and select appropriate protections for implementation.
Added, clarified, and reorganized the categories (e.g., groupings of protections) and subcategories (e.g., protections or controls)
See below for some key differences between NIST CSF 1.0 and 2.0.
Changes to categories
NIST 2.0 Category | Description | Change |
GV.OC – Organizational Context | The circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organization's cybersecurity risk management decisions are understood. | New Category for NIST 2.0 |
GV.RM – Risk Management Strategy | The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions. | Updated Category, formerly ID.RM |
GV.RR – Roles, Responsibilities, and Authorities | Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated. | New Category for NIST 2.0 |
GV.PO – Policy | Organizational cybersecurity policy is established, communicated, and enforced. | New Category for NIST 2.0 |
GV.OV - Oversight | Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy. | New Category for NIST 2.0 |
GV.SC – Cybersecurity Supply Chain Risk Management | Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders. | New Category for NIST 2.0 |
ID.IM – Improvement | Improvements to organizational cybersecurity risk management processes, procedures and activities are identified across all CSF Functions. | New Category for NIST 2.0 |
PR.AA – Identity, Management, Authentication, and Access Control | Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access | Updated Category, formerly PR.AC |
PR.PS – Platform Security | The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization's risk strategy to protect their confidentiality, integrity, and availability. | New Category for NIST 2.0 |
PR.IR – Technology Infrastructure Resilience | Security architectures are managed with the organization's risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience. | New Category for NIST 2.0 |
RS.MA – Incident Management | Responses to detected cybersecurity incidents are managed. | New Category for NIST 2.0 |
RC.RP – Incident Recovery Plan Execution | Restoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidents. | New Category for NIST 2.0 |
Changes to subcategories
NIST 2.0 Category | Description | Change |
Organizational Context (GV.OC) | ||
GV.OC-02 | Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered. | New Subcategory for NIST 2.0 |
Risk Management Strategy (GV.RM) | ||
GV.RM-05 | Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties. | New Subcategory for NIST 2.0 |
GV.RM-06 | A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated. | New Subcategory for NIST 2.0 |
GV.RM-07 | Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions. | New Subcategory for NIST 2.0 |
Roles, Responsibilities, and Authorities (GV.RR) | ||
GV.RR-01 | Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving. | Updated Subcategory, formerly PR.AT-4 |
Policy (GV.PO) | ||
GV.PO-02 | Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission. | Updated Subcategory, formerly ID.GV-1 |
Oversight (GV.OV) | ||
GV.OV-01 | Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction. | New Subcategory for NIST 2.0 |
GV.OV-02 | The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks. | New Subcategory for NIST 2.0 |
GV.OV-03 | Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed. | New Subcategory for NIST 2.0 |
Cybersecurity Supply Chain Risk Management (GV.SC) | ||
GV.SC-04 | Suppliers are known and prioritized by criticality. | Updated Subcategory, formerly ID.SC-2 |
GV.SC-06 | Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships | New Subcategory for NIST 2.0 |
GV.SC-09 | Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle. | New Subcategory for NIST 2.0 |
GV.SC-10 | Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement. | New Subcategory for NIST 2.0 |
Asset Management (ID.AM) | ||
ID.AM-07 | Inventories of data and corresponding metadata for designated data types are maintained. | New Subcategory for NIST 2.0 |
ID.AM-08 | Systems, hardware, software, services, and data are managed throughout their life cycles. | Updated Subcategory, formerly PR.DS-3 |
Risk Assessment (ID.RA) | ||
ID.RA-07 | Changes and exceptions are managed, assessed for risk impact, recorded, and tracked. | Updated Subcategory, formerly PR.IP-3 |
ID.RA-10 | Critical suppliers are assessed prior to acquisition. | New Subcategory for NIST 2.0 |
Incident Recovery Plan Execution (RC.RP) | ||
RC.RP-02 | Recovery actions are selected, scoped, prioritized, and performed. | New Subcategory for NIST 2.0 |
RC.RP-03 | The integrity of backups and other restoration assets is verified before using them for restoration. | New Subcategory for NIST 2.0 |
RC.RP-04 | Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms. | New Subcategory for NIST 2.0 |
RC.RP-05 | The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed. | New Subcategory for NIST 2.0 |
RC.RP-06 | The end of incident recovery is declared based on criteria, and incident-related documentation is completed. | New Subcategory for NIST 2.0 |
What is the first step to take if my organization doesn’t use NIST CSF?
Organizations can use the NIST CSF Tiers to help guide their implementation of cybersecurity risk management practices. Using the tiers helps set short and long-term goals for managing cyber risks by implementing the NIST CSF protections over time as you can deploy resources effectively. Also using the tiers allows the organization to demonstrate continuous improvement within their cybersecurity control environment, which is immensely helpful when reporting to organization leadership and governance boards.
What steps should my organization take if we already use NIST CSF 1.0?
Organizations should perform a gap assessment between 1.0 and 2.0. Then, develop an approach for routine analysis of the cybersecurity control environment (e.g., semi-annual assessments, periodic tabletop exercises, third-party independent audits) to continue enhancing the maturity of their cybersecurity risk management practices.