JP

TOP
Service & Solution
News & Blog
About Us
Contact Us
Service & Solution

News & Blog

NIST CSF 2.0: Key Updates and Why They Matter

2025.02.13

NRI Secure Blog

Agenda

    NIST Cybersecurity Framework 2.0

    Setting the Stage

    As we move through the 2020s, the cybersecurity landscape is becoming increasingly diverse and complex. Factors such as threats arising from new lifestyle changes, the sharp rise in large-scale and severe cyberattacks worldwide, and heightened risks associated with emerging technologies like generative AI have significantly contributed to this trend. In response, many countries have introduced and refined cybersecurity laws, regulations, and guidelines to address these evolving challenges.

    The NIST Cybersecurity Framework (NIST CSF), CIS Controls, and the ISO/IEC 27000 series are among the internationally recognized and widely adopted cybersecurity frameworks and guidelines. Notably, the NIST CSF has gained traction globally across public and private sectors due to its comprehensive approach, which incorporates cyber resilience measures, instilling confidence in its ability to address evolving challenges, and its high adaptability to diverse organizational needs.

    Navigating the Complex Cybersecurity Landscape

    NIST Cybersecurity Framework (NIST CSF)

    The NIST Cybersecurity Framework (NIST CSF) was developed in 2014 by the National Institute of Standards and Technology (NIST) in response to Executive Order 13636 issued by President Obama in 2013, which aimed to enhance cybersecurity for critical infrastructure. Commonly referred to as the “Cybersecurity Framework” or simply “CSF,” it provides a structured approach to managing cybersecurity risks.

     

    The initial version of the framework, NIST CSF 1.0, was published in 2014. It was later revised in 2018 to version 1.1, and as of February 26, 2024, the latest version, NIST CSF 2.0, has been officially released.

     

    One of the defining features of the NIST CSF is its comprehensive scope. As cyberattacks become increasingly sophisticated and complex, organizations are under pressure to enhance their cyber resilience. The CSF addresses these challenges by encompassing both proactive measures to prevent breaches and reactive strategies to respond to incidents effectively. This broad coverage ensures that the framework can adapt to evolving threats and provide guidance for both pre-incident and post-incident management.

     

    The NIST CSF has become a cornerstone for many cybersecurity initiatives worldwide. According to NRI Secure’s 2022 Information Security Survey, approximately 35% of U.S. organizations reference the NIST CSF to evaluate their security practices. As the need for robust cybersecurity measures grows, the adoption of this framework is expected to increase, solidifying its role as a key resource for strengthening organizational cybersecurity.

    Evolution of the NIST Cybersecurity FrameworkThe Three Components of the NIST CSF (Core, Tier, and Profile)

    The NIST Cybersecurity Framework (CSF) is structured around three key components: Core, Tier, and Profile.

    • Core: A categorized list of security controls and practices.
    • Tier: A four-level maturity model used to quantify the implementation status of security measures.
    • Profile: A comparison of an organization's current cybersecurity posture ("As-Is") against its desired future state ("To-Be").

    By leveraging these three components, businesses and organizations can analyze the gaps between their current cybersecurity measures and their goals. This allows them to prioritize and implement necessary actions effectively. Additionally, the framework serves as a "common language" for communicating cybersecurity risks and strategies with internal and external stakeholders.

    Four Key Revisions to NIST CSF 2.0

    Since 2022, NIST has actively engaged with stakeholders through a series of workshops, webinars, and the release of a draft version to gather comprehensive feedback for the update. After this extensive process, the finalized version of the NIST Cybersecurity Framework (CSF) 2.0 was officially published on February 26, 2024.

     

    This section outlines the four main updates introduced in NIST CSF 2.0.

    Point 1: Expansion of the Framework's Scope

    The initial versions of the NIST Cybersecurity Framework (CSF), 1.0 and 1.1, were originally developed to secure critical infrastructure in the United States, such as hospitals and power plants. However, in practice, the framework has been widely adopted beyond critical infrastructure, finding use among government agencies and private companies across various sectors and countries.

     

    With the release of NIST CSF 2.0, the framework has been redesigned to reflect these broader applications. It is now structured to accommodate organizations of all sizes, industries, and levels of cybersecurity maturity, including small and medium-sized businesses.

     

    The overall structure of the framework, as well as the categories and subcategories in its Core, has been revised to remove language specific to critical infrastructure, making it more generalized and adaptable for a wider range of users.

     

    Additionally, the official name of the framework has been changed from Framework for Improving Critical Infrastructure Cybersecurity to the more inclusive Cybersecurity Framework, reflecting its universal applicability.

    Point 2: Addition of the "Govern (GV)" Function

    Nearly a decade has passed since the release of NIST CSF 1.0, during which the business environment has undergone significant changes. Factors such as the widespread adoption of remote work, technological advancements like AI and quantum computing, and the increasing reliance on supply chain ecosystems have reshaped the landscape. Simultaneously, new cyber threats, such as ransomware attacks and exploits targeting weak links in supply chains, have become more prevalent.

     

    In NIST CSF 2.0, the framework emphasizes that cybersecurity is now a key business risk on par with financial and reputational risks, requiring senior leadership to integrate it into their overall risk management strategy. Organizations must adopt a top-down approach to address these evolving risks and changes, ensuring cybersecurity measures align with their mission and objectives and are subject to continuous improvement.

     

    As part of this revision, a sixth core function, "Govern (GV)", has been introduced alongside the existing five functions:

    • Identify (ID)
    • Protect (PR)
    • Detect (DE)
    • Respond (RS)
    • Recover (RC)

    The diagram below illustrates the core functions in CSF 1.1 and CSF 2.0. The functions are interconnected and represented as a wheel, with the newly added "Govern (GV)" function positioned at the center. This placement highlights its cross-functional role in supporting decision-making to determine "what should be prioritized" within the management practices outlined in the other five functions.

    NIST CSF 2.0 Framework Components

    Additionally, the revision includes updates to the categories and subcategories within each function, involving adjustments such as reclassification, consolidation, and removal:

    • NIST CSF 1.1: 5 functions, 23 categories, 108 subcategories
    • NIST CSF 2.0: 6 functions, 22 categories, 106 subcategories

    Although "Govern (GV)" is a newly established function, not all its categories and subcategories are entirely new. Many have been reallocated or consolidated from the "Identify (ID)" function in CSF 1.1. Examples include:

    • ID.BE (Business Environment)
    • ID.GV (Governance)
    • ID.RA (Risk Assessment)
    • ID.SC (Supply Chain Risk Management)

    These elements have now been grouped under the "Govern (GV)" function, reflecting the framework's effort to centralize governance-related practices within the broader cybersecurity strategy.

    Point 3: Expanded Online Resources to Support Framework Utilization

    NIST CSF 2.0 includes an expanded range of online resources designed to help organizations of all sizes implement the cybersecurity measures outlined in the framework. These resources aim to facilitate effective adoption and practical application of the framework.

    • Implementation Examples: Best practices for implementing specific subcategories.
    • Informative References: Resources such as guidelines and standards that aid in achieving desired outcomes.
    • Quick-Start Guides: Tailored guidance for specific needs, such as small businesses.

    A new resource, Implementation Examples, has been added to the Core. Additionally, the range of resources listed as Informative References has been significantly expanded.

     

    Implementation Examples provide best practices for addressing specific subcategories. They are designed as illustrative measures to help users better understand the subcategories. However, they are neither an exhaustive list of actions to implement nor a minimum set of required measures.

     

    Informative References offer resources such as standards, guidelines, and regulations that support the achievement of outcomes within Functions, Categories, and Subcategories. The updated version introduces a broader selection of resources, including CRI Profile v2.0, CIS Controls v8, SP800-221A, and SP800-218.

     

    Quick-Start Guides provide targeted guidance for specific needs, such as developing profiles, tailoring the framework for small businesses, and managing supply chain risks. These guides are intended to serve as actionable “first steps” for organizations beginning to use the framework.

     

    To ensure accessibility and frequent updates, resources such as Implementation Examples, Informative References, and Quick-Start Guides are maintained online on the NIST website. Organizations are encouraged to refer to the official NIST page for the latest information.

    Point 4: Strengthening Supply Chain Risk Management

    In recent years, the advancement of digital transformation (DX) and globalization has reshaped the business landscape. In this environment, businesses can no longer operate solely on their internal resources; collaboration with partners and vendors has become indispensable. As nearly all organizations rely on supply chains, security risks stemming from these interdependencies have been on the rise.

     

    In 2018, the NIST Cybersecurity Framework (CSF) 1.1 introduced a new category, "ID.SC" (Supply Chain Risk Management), to address these challenges and enhance supply chain risk management (SCRM). However, the 2020s have seen a continued global increase in severe attacks targeting vulnerabilities within supply chains.

     

    The recent revision to NIST CSF 2.0 has further expanded on these efforts. Under the newly introduced "GV" (Governance) function, a dedicated category, "GV.SC" (Cybersecurity Supply Chain Risk Management), has been established to centralize and enhance focus on this area. Moreover, the revision includes a significant increase in subcategories detailing essential measures required for effective supply chain risk management.

    The New Functionality in NIST CSF 2.0: GV (Governance)

    The GV (Governance) function focuses on governance measures that manage cybersecurity risks as an integral part of an organization’s overall business risks, utilizing a top-down approach. These activities play a crucial role in guiding decision-making across other functions (Identify, Protect, Detect, Respond, Recover) by considering the organization’s mission, objectives, stakeholder roles, and expectations to determine which measures should be prioritized.

     

    This section explains the six categories included in the GV (Governance) function.

    GV.OC (Organizational Context)

    Managing risks, including cybersecurity risks, requires a top-down approach to identify threats that could impact the organization's mission and business objectives. It is essential to address these risks and implement improvements based on a risk management strategy aligned with the overall business strategy.

     

    In this category, effective cybersecurity risk management begins with a thorough understanding of the organization's mission, its vision for the future, and the expectations of internal and external stakeholders such as shareholders, customers, and employees. It also involves ensuring compliance with relevant laws, contractual obligations, and a clear grasp of the services the organization provides and their dependencies.

    Effective Cybersecurity Risk Management

    GV.RM (Risk Management Strategy)

    Cybersecurity risks can have far-reaching consequences for organizations, including increased costs, lost revenue, reputational harm, and diminished innovation. In some cases, these risks may even jeopardize individual privacy, restrict access to critical services, or endanger lives in the most severe scenarios.

     

    This category highlights the need to implement a comprehensive risk management process that identifies, evaluates, and mitigates risks related to supply chains. Effectively managing these risks is essential to maintaining organizational resilience and achieving strategic goals.

     

    A notable update in NIST CSF 2.0 is the introduction of the concept of positive risk (GV.RM-7), which was not explicitly addressed in earlier versions of the framework. While traditional cybersecurity risk management often focuses on mitigating adverse risks that could disrupt an organization’s mission or objectives, positive risks represent opportunities to enhance mission success. These might include benefits such as increased revenue, improved trust, or greater operational efficiency.

     

    For example, organizations should also consider its positive risks rather than viewing the rapid development of generative AI solely through the lens of potential adverse risks like data breaches or regulatory non-compliance. Generative AI offers opportunities to improve efficiency and expand business operations. To fully realize these benefits, exploring ways to leverage generative AI while carefully managing its associated risks is critical.

    GV.RR (Roles, Responsibilities, and Authorities)

    This subcategory emphasizes the importance of defining and communicating the roles, responsibilities, and authorities related to cybersecurity for all stakeholders within a company or organization. By ensuring that each individual understands their specific role and responsibilities, organizations can expect to enhance security awareness, foster a stronger security culture, and enable faster response during incidents.

    Moreover, the leadership of key figures like the Chief Information Security Officer (CISO) becomes increasingly critical in fostering a culture of continuous improvement. This involves close collaboration with stakeholders, including executive management, employees across various departments, and supply chain partners, to ensure ongoing alignment and improvement (GV.RR-1).

    GV.PO (Policy)

    This category emphasizes the need to define and document the organization-wide security risk management policies, including risk management processes and procedures. It also requires organizations to appropriately disclose these policies externally when necessary and ensure they are effectively communicated to all relevant stakeholders.

     

    Additionally, it is critical to regularly review and update these policies and processes to ensure they remain aligned with evolving threats, such as the latest cyberattacks, and adapt to changes in the organization’s mission. This ensures that the policies are both current and effective.

    Comprehensive Security Risk ManagementGV.OV (Oversight)

    This category introduces a new control added in NIST CSF 2.0. It focuses on continuously reviewing and assessing the outcomes of cybersecurity risk management efforts. By reflecting on these outcomes and making necessary adjustments, organizations can create a sustainable improvement cycle for risk management strategies and processes.

     

    Activities that support this reflection process include measuring KPIs to assess the achievement of organizational goals, conducting regular security assessments, and undergoing external audits.

    GV.SC (Cybersecurity Supply Chain Risk Management)

    One of the significant updates in CSF 2.0 is the focus on understanding and addressing security risks across the entire supply chain. This category highlights the importance of treating supply chain risks as integral to organizational risk management.

    The controls within this category guide organizations in establishing processes to ensure that critical third parties, upon which they depend, consistently maintain appropriate cybersecurity standards. It is the most detailed category, comprising 10 subcategories, more than any other in the framework.

    Notable additions include identifying and prioritizing third parties based on their criticality (GV.SC-4) and performing pre-contract evaluations and due diligence on cybersecurity measures (GV.SC-6). These represent new controls that were not part of CSF 1.1.

    Achieving Security Assessments Aligned with the NIST CSF Framework

    While we’ve discussed the features and advantages of NIST CSF 2.0, it’s essential to recognize that no single cybersecurity framework is universally applicable to all organizations. Every company or institution faces unique threats, risk tolerance levels, missions, and business goals, necessitating a tailored approach to risk management.

    Widely used frameworks and guidelines each have distinct characteristics and strengths. Integrating several frameworks and guidelines is often beneficial to enhance cybersecurity measures from multiple perspectives.

    What Is Secure SketCH?

    Secure SketCH, a service offered by NRI Secure, is a web-based platform that visualizes an organization’s cybersecurity posture through a score of 1,000 points and a deviation score based on responses to 75 security-related questions. As of 2024, the platform has been utilized by over 7,000 companies and organizations.

     

    Secure SketCH references 11 internationally and domestically recognized frameworks and guidelines, including NIST CSF, NIST SP800-171, ISO/IEC 27001/2, and Japan’s Cybersecurity Management Guidelines. These frameworks inform the creation of its 75 questions and recommended best practices (as of May 2024).

     

    The platform’s Guideline Check Function allows organizations to instantly analyze and assess how well their current security measures align with various frameworks. It identifies areas for improvement, streamlining the compliance evaluation process.

     

    Compared to manually interpreting and applying frameworks or guidelines to evaluate security measures, Secure SketCH significantly reduces operational effort. Additionally, it provides management with quantifiable insights for informed decision-making and reporting.

    Key Takeaways

    The NIST Cybersecurity Framework (CSF) is a widely adopted guideline for addressing cybersecurity risks. Its latest version, 2.0, strongly emphasizes supporting holistic organizational risk management. Notably, the update introduces a new Governance function, underscoring the critical role of leadership at the executive level.

     

    Additionally, the framework has been enhanced to address today’s complex threat landscape, incorporating measures such as supply chain risk management and the concept of positive risk. To further facilitate the implementation of security measures, new support tools—including implementation examples, references, and quick-start guides—have been added. These enhancements enable organizations to manage risks more effectively and strengthen their resilience against cyberattacks.

    NRI Secure Blog

    If you have any questions, please don’t hesitate to contact us at info@nri-secure.com

    Related Articles

    A Guide to U.S. Cybersecurity Laws and Compliance
    7 Key Supply Chain Security Best Practices 7 Key Supply Chain Security Best Practices

    7 Key Supply Chain Security Best Practices

    The Strategic Benefits of Cybersecurity Compliance
    CIS Controls v8: Key Updates and 18 Essential Measures CIS Controls v8: Key Updates and 18 Essential Measures

    CIS Controls v8: Key Updates and 18 Essential Measures
    X facebook linked-in hatena bookmark

    Contact Us