Normally, an update to a cybersecurity regulation or standard isn’t seen as a cause for celebration in many organizations. If your compliance goals are solely to meet regulatory requirements, then an update introduces new requirements. And that means more time, effort, and resources will be required.
The NIST Cybersecurity Framework (CSF) is a bit different. Not only is it an optional standard — meaning that updates don’t necessarily create more required work — but the update to version 2.0 was designed to make it a lot easier to follow. When a cybersecurity standard tailored to critical infrastructure is used across all industries, changes to make it more broadly applicable are a good thing.
The Version 2.0 update also provides a great opportunity to move from “check the box compliance” to a more proactive approach to security. The changes included in the framework were based on a massive amount of industry feedback and addressed current and emerging security challenges, such as cloud security, artificial intelligence, and supply chain management.
Key Changes in NIST CSF v2.0
The move to version 2.0 of the NIST CSF involved major changes to the framework, including renaming it officially from the “Framework for Improving Critical Infrastructure Cybersecurity” to the NIST CSF (which is what everyone called it anyway). Some of the key functional changes include:
- Expanded Scope: As its original name suggests, the NIST CSF was designed to help secure critical infrastructure (power, water, etc.); however, its guidance was so valuable that it was adopted across many industries. The new version of the framework acknowledges this and redesigns the framework to be more broadly applicable.
- Govern Function: Previously, the NIST CSF had five core functions (Identify, Protect, Detect, Respond, and Recover). The new version adds a “Govern” function focused on cybersecurity governance and strategic risk management.
- Implementation Guidance: Translating from theoretical regulatory requirements to real-world implementations can be difficult, and the previous version of the NIST CSF relied heavily on outdated web pages and resources. The new version includes additional implementation guidance and resources, as well as web page updates designed to improve accessibility.
- Cross-Standard Relationships: Most companies are subject to several different regulations, and the best way to achieve and maintain compliance is via an integrated program rather than regulation-specific efforts. The new NIST CSF makes this easier by mapping its requirements and recommendations to other regulations and standards, even harmonizing them in some cases.
- Forward-Thinking Guidance: Technological changes such as the rise of cloud computing, AI, and remote work all have security implications. The new version of the NIST CSF explicitly addresses these current and emerging trends.
- Clear Metrics: One of the hardest tasks in security is defining success. The new CSF includes metrics for measuring how well an organization is complying with its new requirements and recommendations.
Taking Advantage of CSF Updates
The NIST CSF v2.0 provides a great deal of guidance for companies looking to implement it. The “easy” way to take advantage of the update would be to work through and implement these recommendations. However, this is no better than “checkbox compliance” for an optional standard. Organizations need to get away from this kind of thinking.
A better approach is to look at the logic and themes behind the updates and use them as inspiration for building a more forward-looking security program, a more mature security posture. Four key takeaways from the NIST CSF 2.0 updates include the following:
Prioritize Security Management
The most significant change in the new version of the NIST CSF is the introduction of the new “Govern” function, increasing the number of top-level functions from five to six. In fact, the new function spans all five of the original cyclical functions.
This update underscores the importance of addressing security at the executive level. Threats to corporate cybersecurity and compliance are threats to the business as a whole; bringing security into the C-suite is essential for operational resilience and continuing viability. The introduction of the Govern function challenges organizations to take a hard look at their risk management practices and identify ways to make security a business enabler, rather than merely a cost centre.
Converge Risk Management Practices
The challenges of protecting the company against cyber threats and maintaining regulatory compliance are growing more complex. As new regulations are introduced, organizations must implement new controls, policies, and reporting practices. The introduction of technologies such as generative AI also introduces new security risks – from inside and outside the operation.
Based on feedback from Microsoft and others, the NIST CSF 2.0 recommends aligning an organization’s various forms of security-related governance, including cybersecurity, AI, and privacy. This is what ISA Cybersecurity calls the convergence of cyber risk management.
Organizations can also take advantage of the new mappings between the CSF and other regulations to align and streamline their various compliance efforts. This integration enables the company to eliminate redundancies and efficiently ensure alignment between various operational, compliance, and regulatory requirements.
Define and Quantify Success
The ability to demonstrate return on investment (ROI) is important to securing budget and showing the value of security to the organization. However, quantifying cybersecurity ROI can be challenging since it’s difficult to measure the potential costs of attacks that are successfully blocked.
As part of its update, the NIST CSF incorporates additional implementation guidance, metrics, and definitions of success for complying with the standard. Organizations can adopt and adapt these metrics and definitions to measure the maturity of their security programs and demonstrate growth over time.
Address Emerging Risks
The range of cybersecurity risks that companies must manage is constantly expanding. Cybercriminals are increasingly performing supply chain attacks, targeting open-source libraries or third-party vendors. These attacks can serve as an intentional entry point to an organization, or can simply create a ripple effect of damage up- or downstream. The rise of generative AI has also introduced a host of new data security risks, from novel hacking approaches, to the accidental disclosure of sensitive data in GenAI tools, to injection attacks on in-house AI resources.
Keeping pace with the changing cyber threat landscape requires looking ahead to identify emerging threats and implement defenses to address them. The updated NIST CSF 2.0 excels at providing guidance on these topics, providing organizations with insights into where they should focus these next-gen security efforts.
Making the Most of NIST CSF 2.0
The 2024 update to the NIST CSF ushers in a major change to the decade-old standard. The new version expands its scope, prioritizes governance, and takes on the emerging cybersecurity risks of today – and tomorrow.
While complying with the NIST CSF at all demonstrates a commitment to going beyond the minimum for security, this update also offers an opportunity for organizations to further rethink and revamp their security programs. Taking the core themes of the update and applying them offers opportunities to optimize existing security programs and position the company to better address emerging and next-gen security risks.
Learn more about NIST CSF 2.0 and how to operationalize it: contact ISA Cybersecurity today. We’re here to help.
