Understanding the NIST Cybersecurity Framework (CSF) 2.0

Executive Summary (TL;DR)

The NIST Cybersecurity Framework (CSF) 2.0, released in February 2024, represents a significant evolution in cybersecurity risk management guidance. This comprehensive framework provides organisations of all sizes and sectors with a structured approach to Understanding, Assessing, Prioritising, and Communicating cybersecurity risks.

Key updates in CSF 2.0 include:

• Addition of the GOVERN function to emphasize governance and risk management strategy

• Enhanced focus on cybersecurity Supply Chain Risk Management (C-SCRM)

• Expanded online resources including Informative References, Quick Start Guides (QSGs), Implementation Examples, and Community Profiles.

• Broader applicability beyond critical infrastructure to all organisations

• Technology-neutral (outcome focused) approach covering IT, IoT, OT, cloud, mobile, and AI systems

Unlike many security standards, the CSF does not authoritatively state specific controls. Instead, it defines outcomes organisations should aim to achieve, allowing flexibility across industries, technologies, and maturity levels. This blog post provides a comprehensive overview of CSF 2.0, its components, implementation strategies, and practical guidance for organisations seeking to enhance their cybersecurity posture.

The 3 Components of CSF 2.0

The framework consists of three main parts - CSF Core, Organisational Profiles, and Tiers, that work together to help organisations manage cybersecurity risks.

Categories and Subcategories

Each Function is divided into Categories (groups of related cybersecurity outcomes), which are further divided into Subcategories, which provide more specific actionable outcomes. Below is a summary of Categories per Function (https://csf.tools/framework/csf-v2-0/).

GOVERN (GV)

• Organisational Context (GV.OC) - Define the organisations’s mission, stakeholder expectations, and legal, regulatory, and contractual requirements.

• Risk Management Strategy (GV.RM) - Establish and communicate the organisation’s risk tolerance, appetite, and priorities.

• Roles, Responsibilities, & Authorities (GV.RR) - Defining, documenting, and communicating cybersecurity roles and accountabilities across the organisation.

• Policy (GV.PO) - Establish and enforce organisational cybersecurity policies.

• Oversight (GV.OV) - Monitor and assess the results of the cybersecurity risk management activities to improve the overall strategy.

• Cybersecurity Supply Chain Risk Management (GV.SC) - Integrate supply chain risk management into the organisation's overall risk management strategy, including identifying, assessing, and managing vendor risks.

IDENTIFY (ID)

• Asset Management (ID.AM) - Identification and management of data, personnel, devices, systems, and facilities to establish a foundational inventory.

• Business Environment (ID.BE) - Understand the organisation’s mission, objectives, stakeholders, and its role in the supply chain or critical infrastructure.

• Improvements (ID.IM) - Identifying improvements from assessments to operational processes, procedures, incident response, and cybersecurity activities.

PROTECT (PR)

• Identify Management, Authentication, and Access Control (PR.AA/PR.AC) - Ensuring that access to physical and logical assets is limited to authorized users, processes, and devices; enforce policies for authentication, authorization, and user-privilege management.

• Awareness and Training (PR.AT) - Educating staff to create a security-aware culture, ensuring they understand their roles in managing cybersecurity risk (role-based training and security awareness programs)

• Data Security (PR.DS) - Safeguarding sensitive information's confidentiality, integrity, and availability, both at rest and in transit (encryption, DLP, backups)

• Platform Security (PR.PS/PR.PT) - Securing hardware, software, and services (physical & virtual) using protective technology to ensure security & resilience of systems.

• Technology Infrastructure Resilience (PR.IR) - Manage security architectures to ensure they are aligned with risk strategies (redundancy, failsafe mechanisms, and load balancing)

DETECT (DE)

• Adverse Event Analysis (DE.AE) - Ensures that anomalous activity is detected and the potential impact of events is understood.

• Security Continuous Monitoring (DE.CM) - Focuses on ongoing asset monitoring to identify events and verify that protective measures are working.

RESPOND (RS)

• Incident Management (RS.IM) - Establish and implement structured procedures for handling incidents, including categorising and prioritising them to ensure effective response.

• Incident Response Reporting and Communication (RS.CO) - Ensure accurate and timely incident information is communicated to internal and external stakeholders, following established, authorised plans.

• Analysis (RS.AN) - Investigate notifications from detection systems, understanding the impact of incidents, performing forensics, and analysing vulnerabilities to support response and recovery.

• Mitigation (RS.MI) - Contain incidents and mitigate their effects to prevent further damage and, where necessary, updating incident response strategies based on lessons learned to prevent recurrence.

RECOVER (RC)

• Incident Recovery Plan Execution (RC.RP) - Maintaining and executing processes and procedures to restore systems or assets after cybersecurity incidents.

• Incident Recovery Communications (RC.CO) - Coordinating recovery activiities with both internal and external stakeholders (inlucding managing reputation and public updates).

Each category contains multiple subcategories that detail specific outcomes. For instance, under Risk Management Strategy (GV.RM), subcategories include establishing risk management objectives, defining risk appetite and tolerance, and integrating cybersecurity into enterprise risk management.

CSF Organisational Profiles

These profiles are used to understand, tailor, assess, prioritise, & communicate the CSF Core’s outcomes with respect to the organisation’s mission objectives, stakeholder expectations, threat landscape, and requirements. Two profiles are generated (Current & Profiles) to describe the organisation’s current and target cybersecurity posture in terms of the CSF’s outcomes.

✏️ Community Profiles For efficiency and effectiveness, consider using a Community Profile (https://www.nist.gov/cyberframework/profiles) as the foundation of the Target Profile. These provide a baseline of CSF outcomes created and published to address shared interests and goals for particular sectors sectors, subsectors, technologies, or threat types.

Improving Risk Communication with the CSF

One of the CSF's most valuable contributions is providing a common language for cybersecurity risk communication across different organisational levels and with external stakeholders.

Internal Communication

The CSF facilitates bidirectional information flow:

• Executives → Managers: Communicate mission priorities, risk appetite, budget, and strategic direction.

• Managers → Practitioners: Translate business needs into Framework Profiles and actionable security requirements.

• Practitioners → Managers: Report implementation progress, identified issues, and emerging risks.

• Managers → Executives: Provide updates on current and future risk posture, resource needs, and program effectiveness.

External Communication

Organisations can use the CSF to communicate with external stakeholders:

• Suppliers and Partners: Express cybersecurity expectations through Target Profiles.

• Customers: Demonstrate cybersecurity capabilities through Current Profiles.

• Regulators: Show compliance alignment with regulatory requirements.

• Boards and Investors: Report on cybersecurity risk posture and governance.

Integrating CSF with Other Risk Management Programs

Organisations typically face multiple types of IT risk (e.g., privacy, supply chain, Artificial Intelligence), and cybersecurity should be managed alongside other enterprise risks. The CSF is designed to complement and integrate with existing risk management programs, not replace them. 

Enterprise Risk Management (ERM)

Large organisations may split risk management efforts (IT, privacy, supply chain, financial, reputational, technological, and physical) to ensure adequate attention is given to each, but integrated into their ERM. Small organisations will instead monitor risk at the enterprise level and will not use an ERM. Regarless, the CSF helps translate cybersecurity terminology into general risk management language that executives understand.

NIST provides several resources for integrating cybersecurity with ERM, including:

• NIST IR 8286 Rev.1 on Integrating Cybersecurity and ERM - https://csrc.nist.gov/pubs/ir/8286/r1/final

• SP 800-221 on Enterprise Impact of ICT Risk - https://doi.org/10.6028/NIST.SP.800-221

• CSF 2.0 Enterprise Risk Management Quick-Start Guide - https://doi.org/10.6028/NIST.SP.1303.ipd

NIST Risk Management Framework (RMF)

For organisations already using the NIST RMF suite (https://csrc.nist.gov/Projects/risk-management/publications) the CSF can be used to complement the RMF's approach in the selection and and prioritising of controls from the Security and Privacy Controls for Information Systems and Organisations SP 800-53 Rev 5 (https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final). The CSF provides high-level outcomes that inform control selection, while the RMF provides detailed implementation guidance.

Privacy Risk Management

Cybersecurity and privacy are independent but overlapping disciplines. While cybersecurity risk management is essential for protecting the confidentiality, integrity, and availability of data, privacy risks can arise through means unrelated to cybersecurity incidents. The NIST Privacy Framework can be used alongside the CSF to address both aspects comprehensively.

Emerging Technology Risks

As new technologies emerge, organisations face new risks. For artificial intelligence systems, the NIST AI Risk Management Framework (AI RMF) (https://www.nist.gov/itl/ai-risk-management-framework) addresses AI-specific risks while maintaining compatibility with the CSF structure. The AI RMF uses a similar Functions-Categories-Subcategories structure to describe AI outcomes and risk management. The NIST AI RMF Playbook (https://airc.nist.gov/airmf-resources/playbook/) has been published to assist organisations in achieving the outcomes laid out in the AI RMF.

Conclusion

As mentioned, the NIST Cybersecurity Framework 2.0 represents a significant evolution in cybersecurity risk management guidance.  By emphasizing governance through the new GOVERN function, expanding supply chain risk management coverage, and providing comprehensive online resources, CSF 2.0 equips organizations of all sizes and sectors with practical tools for managing cybersecurity risks.

Key takeaways for organisations implementing or updating their use of the CSF:

• Start with governance: Use the GOVERN function to establish the foundation for cybersecurity risk management

• Be outcome-focused: Concentrate on achieving desired cybersecurity outcomes rather than checking boxes

• Tailor to your needs: Adapt the framework to your organisation's size, sector, maturity, and risk environment

• Integrate with existing programs: Use the CSF to complement and enhance your current risk management approaches

• Leverage available resources: Make use of Implementation Examples, Informative References, Quick Start Guides, and Community Profiles

• Communicate effectively: Use the CSF's common language to improve cybersecurity discussions across all organizational levels

• Embrace continuous improvement: Treat cybersecurity risk management as an ongoing process, not a one-time project

The CSF provides a flexible, practical approach to cybersecurity that can grow and evolve with your organization. Whether you are just beginning your cybersecurity journey or looking to enhance mature programs, the framework offers valuable guidance for understanding, managing, and communicating about cybersecurity risks.

References & Tools

Photo by Scott Graham on Unsplash 

CSF Core, Function, Tiers, & Risk Management Diagram https://csf.tools/reference/nist-cybersecurity-framework/v2-0/

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf

https://www.nist.gov/cyberframework

CSF Visualisation Tools: https://csf.tools/visualizations/