What's new in NIST CSF v2.0?

Author: Adam Mylod (https://www.dhirubhai.net/in/adam-mylod/)

Introduction??

In late February 2024, the National Institute of Standards and Technology released the highly anticipated Cybersecurity Framework (CSF) Version 2.0. The newly updated framework builds upon the foundation of version 1.1 with several enhancements and updates. Here are some key differences between NIST CSF 2.0 and 1.1:?

?

CSF 2.0, what’s new??

Improved Usability for all Industries:?

The updated version of the framework aims to enhance accessibility and usability for a wider range of organizations, including small and medium-sized enterprises (SMEs). NIST have also provided various additional resources and guidance to help the needs of organizations across different sectors and industries. The framework will be available in 13 languages which highlights its new global use.?

?

Refinement of Framework Components:??

NIST CSF 2.0 provides further refinement and clarification of the Framework Core, Categories, Subcategories, and Informative References. The clear major update includes the addition of a new “Govern” category, which was previously embedded in the “Identify” function. These new refinements aim to improve the usability and clarity of these components for organizations implementing the framework.?

?

?Further Emphasis on Supply Chain Risk Management (SCRM):??

To combat the fast-growing trend of supply chain risk management (SCRM) in cybersecurity, NIST CSF 2.0 now includes new guidance and resources to address supply chain cybersecurity risks. This reflects the increasing importance of SCRM in managing cybersecurity risks stemming from third-party vendors and suppliers, which is now widely agreed as a common area for malicious actors to exploit.?

?

Enhanced Measurement and Metrics:??

Version 2.0 places greater emphasis on cybersecurity measurement and metrics. It provides improved guidance on how organizations can measure the effectiveness of their cybersecurity programs and assess their cybersecurity posture over time. NIST 2.0 now also includes implementation examples for each control, which allows for organisations to have a better understanding of what exactly the control is trying to achieve.?

?

Supplementary NIST Resources:?

Along with the release of the new framework itself, NIST have also provided multiple supporting resources to provide guidance to all users of the framework, regardless of the size of the organisation. These new resources include quick-start guides, comprehensive FAQs, implementation examples, and a CSF reference tool which captures Informative References that help to show the connection between the CSF and other cybersecurity frameworks, standards, guidelines, and resources. More information can be found at?https://www.nist.gov/cyberframework

?

Conclusion:?

Previously, NIST version 1.1 was viewed as the top standard for businesses to align with to maximise their cybersecurity posture. Given that version 2.0 has better control coverage, applies to all businesses (not just US Federal), and is targeted for global use, it is essential that your organisation aligns itself with this framework.?

Whether you are just getting started with NIST, would like an assessment of how your company scores against the framework, or need help transitioning from v1.1 to v2.0, the Sentaris Consulting Team is ready to help.?

To learn how we can help reduce your organisations risk using the NIST CSF 2.0 visit us at https://www.sentaris.com.au.?