NIST releases new version nist cybersecurity standards

Article

NIST publishes major revision to Cybersecurity Framework (CSF): What organizations need to know

May 31, 2024 · Authored by Mike Cullen, Eric Cortese

What is NIST CSF?

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a risk-based approach to managing cybersecurity risk across an organization. It provides organizations with leading practice guidelines to implement or enhance an effective cybersecurity program.

What happened to NIST CSF?

NIST CSF 1.0 was released in 2014 to help critical infrastructure organizations better protect their data and systems from cyber threats. Over the last decade, organizations in all industries and with varied missions and objectives, not just critical infrastructure organizations, adopted NIST CSF as the foundation of their cybersecurity programs. As with all NIST guidance on cybersecurity, NIST reviewed the use of CSF and solicited feedback for enhancements from the public. In 2024, NIST released a new version of the NIST cybersecurity standards, NIST CSF 2.0, to address the evolving cybersecurity landscape.

What are the major changes from 1.0 to 2.0?

Added a fifth function (i.e., domain) to address governance

Cybersecurity is not solely an information technology issue. To that extent, NIST CSF 2.0 has put a stronger focus on governance, highlighting that cybersecurity is a significant enterprise risk, like a financial risk or reputational risk. Cybersecurity strategies and decision making should be considered alongside other strategic decisions.

NIST publishes major revision to Cybersecurity Framework (CSF)

Added more details on cybersecurity supply chain risk management

As more organizations move systems and data to vendor hosted and cloud systems, cyber risk management changes what and how protections are applied. With NIST CSF 2.0 there is an emphasis on cybersecurity supply chain risk management and secure software development. The new emphasis guides organizations to identify technology suppliers/third parties, determine the criticality and risk of those supply chain partners, and select appropriate protections for implementation.

Added, clarified, and reorganized the categories (e.g., groupings of protections) and subcategories (e.g., protections or controls)

Mike Cullen

Principal

NIST 2.0 Category	Description	Change
GV.OC – Organizational Context	The circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organization's cybersecurity risk management decisions are understood.	New Category for NIST 2.0
GV.RM – Risk Management Strategy	The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions.	Updated Category, formerly ID.RM
GV.RR – Roles, Responsibilities, and Authorities	Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated.	New Category for NIST 2.0
GV.PO – Policy	Organizational cybersecurity policy is established, communicated, and enforced.	New Category for NIST 2.0
GV.OV - Oversight	Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy.	New Category for NIST 2.0
GV.SC – Cybersecurity Supply Chain Risk Management	Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders.	New Category for NIST 2.0
ID.IM – Improvement	Improvements to organizational cybersecurity risk management processes, procedures and activities are identified across all CSF Functions.	New Category for NIST 2.0
PR.AA – Identity, Management, Authentication, and Access Control	Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access	Updated Category, formerly PR.AC
PR.PS – Platform Security	The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization's risk strategy to protect their confidentiality, integrity, and availability.	New Category for NIST 2.0
PR.IR – Technology Infrastructure Resilience	Security architectures are managed with the organization's risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience.	New Category for NIST 2.0
RS.MA – Incident Management	Responses to detected cybersecurity incidents are managed.	New Category for NIST 2.0
RC.RP – Incident Recovery Plan Execution	Restoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidents.	New Category for NIST 2.0

NIST 2.0 Category	Description	Change
Organizational Context (GV.OC)
GV.OC-02	Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered.	New Subcategory for NIST 2.0
Risk Management Strategy (GV.RM)
GV.RM-05	Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties.	New Subcategory for NIST 2.0
GV.RM-06	A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated.	New Subcategory for NIST 2.0
GV.RM-07	Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions.	New Subcategory for NIST 2.0
Roles, Responsibilities, and Authorities (GV.RR)
GV.RR-01	Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving.	Updated Subcategory, formerly PR.AT-4
Policy (GV.PO)
GV.PO-02	Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission.	Updated Subcategory, formerly ID.GV-1
Oversight (GV.OV)
GV.OV-01	Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction.	New Subcategory for NIST 2.0
GV.OV-02	The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks.	New Subcategory for NIST 2.0
GV.OV-03	Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed.	New Subcategory for NIST 2.0
Cybersecurity Supply Chain Risk Management (GV.SC)
GV.SC-04	Suppliers are known and prioritized by criticality.	Updated Subcategory, formerly ID.SC-2
GV.SC-06	Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships	New Subcategory for NIST 2.0
GV.SC-09	Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle.	New Subcategory for NIST 2.0
GV.SC-10	Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement.	New Subcategory for NIST 2.0
Asset Management (ID.AM)
ID.AM-07	Inventories of data and corresponding metadata for designated data types are maintained.	New Subcategory for NIST 2.0
ID.AM-08	Systems, hardware, software, services, and data are managed throughout their life cycles.	Updated Subcategory, formerly PR.DS-3
Risk Assessment (ID.RA)
ID.RA-07	Changes and exceptions are managed, assessed for risk impact, recorded, and tracked.	Updated Subcategory, formerly PR.IP-3
ID.RA-10	Critical suppliers are assessed prior to acquisition.	New Subcategory for NIST 2.0
Incident Recovery Plan Execution (RC.RP)
RC.RP-02	Recovery actions are selected, scoped, prioritized, and performed.	New Subcategory for NIST 2.0
RC.RP-03	The integrity of backups and other restoration assets is verified before using them for restoration.	New Subcategory for NIST 2.0
RC.RP-04	Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms.	New Subcategory for NIST 2.0
RC.RP-05	The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed.	New Subcategory for NIST 2.0
RC.RP-06	The end of incident recovery is declared based on criteria, and incident-related documentation is completed.	New Subcategory for NIST 2.0

NIST publishes major revision to Cybersecurity Framework (CSF): What organizations need to know

What is NIST CSF?

What happened to NIST CSF?

What are the major changes from 1.0 to 2.0?

Added a fifth function (i.e., domain) to address governance

Added more details on cybersecurity supply chain risk management

Added, clarified, and reorganized the categories (e.g., groupings of protections) and subcategories (e.g., protections or controls)

Mike Cullen

Related sections

Changes to categories

Changes to subcategories

What is the first step to take if my organization doesn’t use NIST CSF?

What steps should my organization take if we already use NIST CSF 1.0?

Manage cybersecurity risk across your organization