NIST this week announced the release of version 2.0 of its Cybersecurity Framework (CSF). This is the first major update to the CSF since its creation a decade ago.
The cybersecurity framework was originally created for critical infrastructure organizations, but CSF 2.0 is designed to help all organizations reduce risks, regardless of sector, size, or level of security sophistication.
For Cybersecurity Framework 2.0, NIST expanded the core guidance and created additional resources to help organizations use the CSF to its full potential.
The CSF 2.0 supports implementation of the National Cybersecurity Strategy and it’s organized around six key areas: identify, protect, detect, respond, recover, and the newly introduced ‘govern’.
Industry professionals have commented on various aspects of the Cybersecurity Framework 2.0. Some have praised its improvements, while others have pointed to elements that are still missing from the widely used framework.
And the feedback begins…
Davis Hake, Co-Founder, Resilience:
“The CSF 2.0 provides tremendous value to organizations, particularly when it comes to guidance on how to optimize, assess, and invest in cyber risk management. In particular, there seems to be a consensus amongst security leaders that the addition of governance as a key function is a necessary piece to make this work for businesses. It highlights that cybersecurity, just like finance and reputation, is a major source of enterprise risk that companies must consider and have a plan for.
But to successfully manage cyber risk, it’s important to determine what is acceptable, what needs to be mitigated, or if risk transfer via insurance is the appropriate course of action. While the CST 2.0 only briefly discusses risk transfer, it’s evident that it helps organizations stay resilient, so NIST should consider focusing more on this in their forthcoming revisions. Similarly, absent from the CST 2.0 is the importance of cyber risk quantification, which can help organizations look at their risk more holistically and translate risk between the technical security and business silos of leadership. I believe this balance between cyber risk quantification and prioritization, cyber threat visibility, and cyber risk transfer deserves more attention from NIST in future updates.”
Andrew Harding, Vice President, Security Strategy, Menlo Security:
“I was excited to see NIST’s CSF 2.0 account for emerging tools such as GenAI. However, I believe it focuses too much on networking infrastructure, which we often no longer control, and on endpoint systems, which are not managed by enterprises in contractor, business partner and BYOD environments. To address hybrid work environments and the adoption of SaaS applications, we need to think beyond network infrastructure and systems. The NIST guidance on zero trust architecture, related to Resource Portal-Based Deployment models, remains sound.
This updated framework doesn’t go far enough: We need to think beyond the 1st generation of browser isolation and address the need to manage local browsers, protect users from phishing, malware, and credential theft, and also provide access in a manner that employs network separation.
Overall, the detect and respond paradigm is too little and too late: We need to augment that with defense in depth that includes browser security and secure cloud browsing to complete the framework. Important advances in monitoring personnel activity and technology usage to analyze potentially adverse events is an area where the new framework makes advances that address secure enterprise browsing, and that’s an important area of development.”
Richard Caralli, Senior Cybersecurity Advisor, Axio:
“While CSF v2 is an advancement of the framework based on broad industry usage, its primary updates focus on highlighting the role of governance as an important cybersecurity activity and acknowledging the growing challenges of third-party risk management.
Governance is becoming imperative as organizations realize the need for proper senior management and Board oversight, and this update aligns well with the SEC’s recent cybersecurity rulings that more prominently involve better organizational oversight.
The expansion of the third-party risk management (or supply chain risk management) content is a tacit acknowledgement that many organizations now find their circle of trust expanding due to the use of Internet-and Cloud-based technologies. The increased dependence on external partners as an essential player in a teamwork-based approach to cybersecurity is paramount as this transition occurs.
Finally, organizations adopting v2 have some work to do. Existing assessments and reliance on v1 for program execution means that organizations must cast their programs and assessment results in a new framework. This may mean that new gap areas emerge that previously may not have been present. Moreover, if CSF has been used as the basis for Board reporting and program success, casting program accomplishments in v2 may require some adjustments and supporting explanations at the next Board meeting or in senior management updates.”
Chad McDonald, CISO, Radiant Logic:
“In a major milestone for cybersecurity initiatives, NIST has solidified the need for governance in true risk management practices. The digital transformation which has taken place since the last NIST Cybersecurity Framework and the evolution of attack strategies mandates that we understand organizational context when we make security decisions. CSF 2.0 introduces “GOVERN” as a new core function so that organizations begin to measure and manage to the outcomes intended by the five other functions. GOVERN empowers security executives to prioritize, manage and communicate overall security strategy.
At its foundation GOVERN relies on identity management to provide a window into roles, responsibilities and authorities. It is this organizational context that catalyzes the prioritization of security initiatives and enables real measurement of strategic cyber outcomes. Are users in Finance over provisioned? Who is using the unpatched VPN? Which systems and data can this compromised account access? Contextual data, informed by identity, drives an overall reduction in risk and a real understanding of an organization’s security posture.”
Jose Seara, CEO, Founder, DeNexus:
“One of the more interesting components of the new CSF framework calls for more focus on supply chain cyber risk. Suppliers increase cyber risk for organizations by retaining equipment access privileges and needing timely firmware upgrades to patch vulnerabilities, challenges magnified in OT environments where downtime brings extreme costs.
Overlooking third-party cyber risk causes business disruption when supplier connections enable incidents or their own downtime causes service failures, leading to multimillion-dollar losses for power, manufacturing, or transportation companies. Tight supplier access control and firmware upgrade rigor are essential to limit organizational cyber exposure. In today’s interconnected world, CSF 2.0 brings an additional layer of consideration and protection for all organizations that has traditionally been overlooked, especially in OT environments.
NIST CSF 2.0 brings a more codified approach by allowing organizations to adopt the framework at their own pace starting with partial adoption (Tier 1), to risk-informed (Tier 2) and finally Repeatable (Tier 3) and Adaptive (Tier 4). NIST CSF 2.0 is richer, offering examples, templates and simplified versions for newcomers and small businesses, pointing companies toward the importance of understanding cyber risk first to define a more effective cybersecurity strategy and allocate cybersecurity budget to most pressing security weaknesses.”
Jordan Tunks, Manager, Cybersecurity Solutions, Pathlock:
“Frameworks like the NIST CSF are so versatile for organizations of all sizes and industry because they are not prescriptions of an absolute solution or mandatory processes, but rather deliver a common organizing structure for multiple approaches to cybersecurity. The CSF provides different function tiers, which logically flow from high-level benchmarks, all the way to specific control families. This ensures informed involvement between all management levels for non-siloed cybersecurity processes and best practices.
The increasing digital attack surface has resulted in a response calling for increasing regulatory stringency from both industry and government entities, and with these ramping regulatory requirements comes apprehension from the organization’s held to these standards. Prior to the last decade, cybersecurity was often overlooked and not considered a board-level issue, but now is at the forefront of many high-level business decisions. This stark change in the importance of cybersecurity has left many organizations unsure of where to start or how to embed cybersecurity best practices into the company culture.
Thankfully, NIST and their regulatory frameworks and guidance are designed to aid organizations in implementing a process regardless of cybersecurity maturity, as well as continuously scale with organizational growth (both in size and cybersecurity maturity), conduct an initial assessment, and coherently define target goals.”
Jason Soroko, Senior Vice President of Product, Sectigo:
“NIST’s role is to not overprescribe technology. In the US, it is common for legislation on cybersecurity to reference NIST guidance, which is a good strategy as laws become obsolete quickly. If people are looking to NIST to design a bespoke security architecture for their unique enterprise circumstances, that’s the wrong way to look at it. NIST Cybersecurity Framework 2.0 reframes critical ideas that need to be central to anyone who is building or refactoring a security stance.
Maybe the most important change is making identity management a first class citizen in the framework. The ultimate source of truth on security practices has to be a plan that is brought together from security partners who take the time to understand your unique needs, after you have done your inventory work. Without understanding what your crown jewels are, you can’t build a security program to protect them properly. NIST’s guidance has an enormous richness to pull from, however, it’s not a bespoke plan.”
Ken Dunham, Cyber Threat Director, Qualys Threat Research Unit:
“Organizations that intentionally become framework driven with the intent to achieve both compliance and security outcomes consistently report lower operational costs and accepted risk, which directly supports national plans and outcomes for defense and resiliency. NIST CSF 2.0 enables organizations a way to baseline, compare, and mature operations within an organization as well as compare to other business units and organizations, to drive clarity and prioritization in cyber risk management.
Compliance and regulatory controls are significant for organizations in 2024, with frameworks like CSF 2.0 as a core foundation easily overlayed with other frameworks specific to other controls and verticals. Every organization today has the responsibility to “cross-walk” and overlay multiple forms of compliance and adherence to local, regional, national, and international laws and frameworks to meet complex laws, insurance requirements, and compliance standards.”
Dave Bailey, VP of Consulting Services, Clearwater:
“Adding the Govern function into NIST CSF 2.0 is an important development because it underscores the need for leadership in healthcare organizations to play an active role in cybersecurity. Governance refers to your ability to determine if you are implementing proper risk management, which includes establishing a risk threshold and understanding and addressing your risk based on that parameter, including building executive-level support to achieve your cybersecurity goals.
We saw the Health Sector Coordinating Council (HSCC) highlight the importance of C-suite ownership of cybersecurity as an enterprise risk in the 5-year strategic plan also announced this week. It’s encouraging to see both NIST and the HSCC emphasizing the need for leadership support to improve cybersecurity in healthcare. Too many organizations still think of cybersecurity as just an IT problem.”
Sebas Guerrero Selma, Senior Security Consultant, Bishop Fox:
“The update to the NIST Cybersecurity Framework, making it relevant for all types of organizations and adding a governance focus, is a game-changer. It’s not just for the big players anymore; smaller firms get a roadmap tailored to their needs. With practical examples and a new online tool linking to other standards, it’s easier for everyone to step up their cybersecurity game. This move could really level the playing field, helping the whole industry become more resilient against cyber threats.”
