Manage your risk with the revised NIST Cybersecurity Framework

An updated cybersecurity framework with expanded scope

In February 2024, the National Institute of Standards and Technology (NIST) released its first major update of the popular and well-respected Cybersecurity Framework (CSF). The release of the NIST CSF 2.0 is the result of a multi-year process that obtained comments, concerns, and recommendations from thousands of organizations and individuals. NIST CSF 2.0 has been redesigned to align with the implementation of the National Cybersecurity Strategy, and its use has been expanded beyond its original scope of protecting critical infrastructure.

What’s new in the NIST Cybersecurity Framework

We can summarize the changes in the CSF in 3 main ways. First, NIST and other government agencies are no longer saying that the CSF should apply solely to critical infrastructure. As recently as 2018, when referring to the CSF, NIST said [that it] “was developed with a focus on industries vital to national and economic security, including energy, banking, communications and the defense industrial base.”¹ While it has been true that many organizations of diverse types and sizes have been using the CSF to guide their cybersecurity program, there is a new and well-publicized focus on its applicability to a much broader audience.

Second, the revised cybersecurity framework includes more specific and focused attention on two areas of concern in the cybersecurity community. Cybersecurity leaders in both industry and academia have recognized that governance activities are critical for integrating cybersecurity into organizations’ overall risk management strategies. Because of this, NIST has added a sixth function for governance, to go along with the existing functions of identify, protect, detect, respond, and recover. In addition, upon the heels of COVID-19 pandemic-induced supply chain issues and growing evidence that many cybersecurity incidents involved vendors, suppliers, and other third parties, the revised CSF has put greater emphasis on supply chain risks.

The third substantial change to the NIST CSF is the introduction of additional guidelines and an enhanced suite of tools to support the CSF. When visiting the NIST CSF website, the reader is presented with access to a variety of resources, such as the following:

• A direct link to the NIST CSF 2.0. This is a 32-page document with clickable links to additional NIST resources. This guide not only details the functions, categories, and subcategories, but also provides users with information on how to use the CSF as part of an overall risk management program.
• A quickstart guides page that provides links to additional information regarding organizational profiles, community profiles, small business concerns, and supply chain risk management.
• CSF Tiers, which are a way to characterize the rigor of an organization’s cybersecurity risk governance and management outcomes.
• Enterprise risk management (ERM) guidance that shows how cybersecurity risk management (CRSM) fits into information technology risk management and overall risk management activities. For organizations considering implementing formal ERM or governance, risk, and compliance (GRC) initiatives, this guide provides useful information and a common framework that the reader can use in risk management processes.

These changes make the NIST CSF more accessible to organizations of all sizes and industries.

An easy to understand and flexible cybersecurity framework

The core concepts within the NIST CSF are straightforward and cover most aspects of the cybersecurity life cycle. They’re flexible enough for regulated industries, small businesses, government entities, and non-profit organizations alike to help improve their cybersecurity posture and risk management. As a generalized and well-accepted framework, other NIST standards and organizations continue to reference or map their standards to the CSF. It is important to note that the CSF is not a list of required controls or preferred procedures, but rather provides a well-structured overview of the core components of a cybersecurity program that any organization may need to address.

The NIST CSF now includes suggested implementation examples along with each subcategory. However, these are suggestions and do not represent hard implementation standards. For example, under the category Asset Management (ID.AM) there’s a subcategory listed as, “AD.IAM-01 - Inventories of hardware managed by the organization are maintained.”² Implementation examples include maintaining inventories for all types of hardware, including IT, internet of things (IoT), operational technology (OT), and mobile devices. However, there is nothing implied in that example that you must deploy a fully functional configuration management database (CMDB) solution. For a smaller organization, a simple spreadsheet or even a paper ledger may suffice.

The applicability of categories and subcategories to your organization is dependent upon factors such as:

• Regulatory and legal requirements
• The size and complexity of your IT systems
• Customer and stakeholder requirements and expectations
• Risk appetite of your leadership

Regardless of each category’s application to your organization, the NIST CSF can be used as a guide to help strengthen your cybersecurity posture.

A cybersecurity framework designed to meet your needs

The NIST CSF provides relevant and actionable guidance - understanding your current cybersecurity posture, identifying critical risks, and directing improvements. With the updated emphasis on governance and supply chain cyber risk, along with the enhanced tool suites now available, the power of the NIST CSF is more readily available and usable for everyone who is concerned with managing cybersecurity risks. Now is the time for everyone to come to the aid of their country, profession, and organization by learning how to leverage the NIST CSF to protect digital assets.

At CAI, we take a proactive approach to preventing cybersecurity threats before they happen. We have experience helping our clients address cybersecurity risks, develop improvement plans, and implement tailored solutions for their technical, operational, and governance needs. If you’re interested in improving your cybersecurity posture and safeguarding your organization against the evolving threat landscape, contact us.