The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) provides organizations with guidance and best practices for enhancing information security and safeguarding their networks and data.
Initially published in 2014 (the same year of Pharell’s “Happy” and the Ice Bucket Challenge), the framework aimed to help organizations of any size comprehend, manage, and mitigate cybersecurity risks. A decade later, in February 2024, the cybersecurity community received the second edition of this widely adopted framework.
While the original spirit of the NIST CSF remains, today’s evolving threat landscape and the widespread adoption of cloud technologies present different challenges compared to those in 2018, when NIST released its lone revision (1.1) of the framework.
Most organizations use dozens of cloud-based platforms and SaaS applications, each with its own siloed authentication method, administrative controls, and configurations.
Moreover, sensitive data is spread across these multiple information systems without proper visibility as to where it’s located. Customers now look to apply this framework to cloud solutions to address these challenges.
Another application area for NIST CSF is with AI productivity tools like ChatGPT for Enterprise, Salesforce’s Einstein Copilot and Agentforce, and Copilot for Microsoft 365. NIST added “Govern” as a core Function to the preexisting five functions from 1.0 to aid organizations in deploying new technologies like Copilot.
Unlike other SaaS applications, AI solutions have a unique risk profile, elevating the Govern Function's importance. The Govern function specifically helps organizations set a baseline for their policies, risk management strategy, and oversight related to the technology.
In this article, we’ll examine other updates like this additional Function and key aspects of the framework, explore new strategies to consider, and discuss how to begin implementing the updated framework within your organization.
How organizations benefit from using the NIST Cybersecurity Framework
NIST CSF 2.0 consists of guidance and principles influenced by other NIST frameworks, relevant national and international standards, and input gathered during NIST’s request for information period.
Organizations benefit from the framework and its best practices in the following ways:
- Breadth of coverage: The framework goes beyond prevention, giving organizations practical measures to anticipate, detect, and neutralize threats. NIST CSF 2.0 helps cybersecurity teams document processes and identify investment needs.
- Flexibility: The framework accounts for all organizations, regardless of size. It can also adapt to all industries and maturity levels, depending on previous investments or efforts.
- Future-ready: Although no framework can be entirely future-proof or fully resilient against the rapid advancement of new technologies, emerging threats, and innovative defensive strategies, NIST designed version 2.0 to accommodate modern AI and privacy developments.
Components of NIST CSF 2.0
CSF Core
The NIST CSF Core components are a hierarchy of six Functions, 22 Categories, and 106 Subcategories (12 of which are brand new from NIST CSF 1.1). All Subcategories comprise a robust framework that establishes the foundation for an organization to manage its risk and protect its organization appropriately.
The NIST framework functions can be performed concurrently and dynamically, serving as less of a checklist and more of a guidance on achieving cybersecurity outcomes and objectives.
Govern (GV)
The Govern Function focuses on how organizations establish, communicate, and monitor all aspects of their cybersecurity and data security programs, making it central to all other Functions.
Organizations should outline their “context", or factors, defining their risk. This context includes data points such as stakeholders, dependencies, critical assets, and regulatory requirements. The context will influence how the organization evaluates risk and prioritizes security to prevent those risks from becoming cybersecurity incidents.
Establishing measurable objectives to address data and cyber risk in the organization is also critical. These objectives include conducting regular supply chain audits or ensuring that cybersecurity teams are included in non-security strategic planning cycles for other business areas. Teams should develop a responsibility model internally and externally, and maintain reporting structures to communicate security risks from non-technical teams like human resources.
Organizations should also outline the cybersecurity roles and duties for those in specific positions and assign extra responsibilities related to data security to leaders not directly involved in cybersecurity.
Identify (ID)
The Identify Function requires knowing your organization's environment and assets, understanding the risks that can impact them, and determining improvements to mitigate those risks. Assets can include systems, hardware, software, services, and — most importantly — data. In fact, an entire Subcategory (ID.AM-07) is dedicated to maintaining data and its whereabouts.
Furthermore, organizations should regularly assess and redefine what constitutes a severe threat. They can achieve this by conducting vulnerability scans and assessments, using various posture management solutions, monitoring threat intelligence, and initiating periodic threat-hunting exercises.
Prioritization is also vital so teams can address the most pressing risk to your organization based on your environment and the criticality of assets. For instance, misconfigurations on your Active Directory would be a higher priority for remediation because that risk can have implications for all users and identities in your environment.
Lastly, Identify requires organizations to record their plans of action and risk mitigation steps. Documenting the factors used to determine those steps is also a best practice so that future leaders have historical precedents for later reference.
Protect (PR)
The Protect Function consists of safeguards intended to mitigate the risks found in the Identify Function. Organizations also should implement protective measures to address threats found in the Detect Function in the next section.
It is first important to maintain, replace, and remove software in your environment commensurate with presented risks. Threat intelligence can also identify software vulnerabilities, informing how you may update or revert to a previous version. Further, a risk assessment may reveal unmanaged software that needs to be removed, like unapproved AI applications.
In addition to remediating software vulnerabilities, the Protect function requires organizations to manage and enforce access permissions and entitlements across hardware, software, and information systems.
Organizations must develop awareness and training strategies for employees and security teams. Identity and data security threats often start with an unsuspecting user granting improper access or mistakenly disclosing sensitive information to a malicious actor.
Like defense-in-depth strategies, each Category in Protect builds on the others. An organization cannot thoroughly address the Data Security Category (PR.DS) without also implementing principles of least privilege and managing permissions in the Identity Management, Authentication, and Access Control (PR.AA) Category. Teams should consider how each category affects the others.
Detect (DE)
The Detect Function focuses on consistently monitoring for potentially adverse events throughout the enterprise and analyzing those incidents.
Events can include network access sessions or changes to DNS, user behavior changes, failed authentication attempts, and changes to permissions or privileges. Data-related events to monitor can consist of actions like create, read, update, delete, save (CRUDS), and beyond.
Rules, policies, and baselines are configured to aid organizations in detecting deviations from accepted or normal activities. Alerts should be enabled to notify security personnel of these changes.
This Function also relies heavily on logging incidents and events and analyzing them with modern SIEM, SOAR, and AI technologies. Many organizations rely on managed security services providers and Managed Data Detection and Response (MDDR) for event monitoring, which requires a 24/7 operation and a team of skilled professionals.
Respond (RS)
The Respond Function includes the processes, communication plans, mitigations, and analysis that make up an overall response plan in the case of a compromise or successful attack.
One element of incident management within RS is how organizations categorize and prioritize incidents. To gauge the severity of incidents, teams must first know where critical assets are located and how they’re being impacted.
Mature organizations can prioritize incidents affecting their most sensitive or regulated data, turning their incident response plan into a data-centric one. Proper tooling can help teams stay proactive and quickly take the required steps to reduce the damage an attack may have on their data.
RS also references companies' ability to bring in an external response and recovery team to conduct incident containment and forensic analysis. Services like Varonis MDDR help report the “who/what/when/where/how” of a compromise and reduce the risk of it happening again.
Events from Detect flow into this Function, and the results from Respond flow into Recover. More importantly, the learnings from an incident response will naturally drive changes in how organizations approach all other Functions, such as Govern, Identify, and Protect.
Recover (RC)
The Recover Function can be considered an extension or pairing to the Response Function, as teams use the insights, information, and analysis from that Function to inform recovery strategies and processes.
Public relations and reputation management were removed from this Function, making it more focused on restoring the technical integrity of systems rather than brand integrity (though brand integrity is a good motivator).
Recovery incorporates internal and external communications, working to restore full functionality to anything impacted by the attack and identifying areas of remediation in case part of your system was severely impacted.
Backups play an essential role in the restoration process but can also be compromised through multiple vectors. Therefore, teams should analyze backups for the same code deployed by an adversary in the initial attack and ensure the exploited identity, access, or privileges are removed.
CSF Organizational Profiles
The Profile aligns Function requirements from the Core with the business needs and cybersecurity objectives.
Additionally, your Profile can include a target state and current state based on your implementation maturity, which is very similar to the concept of a System Security Plan and Plans of Action and Milestones.
By combining the two, you should be able to create a roadmap to your cybersecurity goals. You can download a template from NIST or adopt a Community Profile made available for various company sizes and industries.
CSF Tiers
Implementation Tiers designate how an organization views its cybersecurity risk and responds accordingly. They are markers for where your organization may be today and where you are headed.
To determine your organization's Tier for each Function, internal stakeholders should consider the business need for cybersecurity risk management and the current level of rigor applied. Below are explanations of each Tier.
Tier 1: Partial
This Tier takes on cybersecurity in an ad hoc manner, and organizations represented are typically unaware of many of their risks — nor do they appropriately communicate these risks to employees or leadership teams. This reactive positioning considers cybersecurity only when there’s an active need.
Tier 2: Risk-informed
Tier 2 programs have higher cybersecurity risk awareness and resources devoted to risk management based on the company’s needs. However, it’s not formalized, has few processes in place, and considerations largely stay internal. Third-party or vendor risk management is still not considered at this Tier.
Tier 3: Repeatable
An organization in this Tier has more formalized policies and practices and continuously updates them based on new information and shifting priorities in risk management. Organizations in Tier 3 often have at least one full-time cybersecurity professional responsible for policy creation and management within the company.
At this Tier, the executive team is actively involved in cybersecurity discussions, and external parties (such as vendors and partners) are considered as part of the overall cybersecurity strategy. Internal and external parties ensure that controls and policies that address third-party risk are in place.
Tier 4: Adaptive
Organizations in this tier continuously research and find new threats, vulnerabilities, and exploits and react accordingly. They also regularly invest in new tools or features that can protect them against novel threats.
Also, these organizations are often marked as having a formal Security Operations Center (SOC) or relying on a third-party managed service to act as an active SOC and monitor risks.
Risk tolerance is generally low, and cybersecurity risk management is an integral part of the organization, acting as a critical voice in decision-making across the company.
How to implement the NIST CSF 2.0
Given the different disciplines involved, implementing this framework may seem daunting, but it’s important to understand that it was built with flexibility and ease in mind.
As a launching point, NIST provides a working Quick Start Guide (QSG) for implementing NIST CSF 2.0. Many organizations also coincide a CSF review or initial exercise with their annual budget and fiscal year planning.
This best practice provides IT and security leaders with a formalized assessment and plan to rely on when creating investment line items.
The NIST CSF 2.0 Reference Tool additionally provides examples of solutions and processes to address gaps in your organization.
#1 Prioritize and scope
Identifying business risk objectives and the priorities requiring resourcing and investment is the first step to implementing NIST CSF 2.0. This will establish an understanding of what your teams can address without additional resources and ground budget asks for near- and long-term capabilities.
#2 Conduct a risk assessment
Understanding your organization’s at-risk assets, risk tolerance, business needs for risk management, and available resources is vital. A risk assessment can help identify which Tiers you belong to and what goals you can realistically accomplish within a specific timeframe.
#3 Determine, analyze, and prioritize gaps
By comparing your current state and target state, you can identify your gaps and the steps and actions required to reach your target. This will also help you resource and find appropriate vendors and solutions.
#4 Implement an action plan
By now, you should understand the essential steps, key contacts, and actions needed to proceed with your implementation. Ensure your team captures progress at every step to update documentation and demonstrate value.
Need assistance applying the NIST Cybersecurity Framework 2.0 in your org? Contact us for help.
