New NIST Cybersecurity Framework 2.0 – Draft Publication – What are possible changes?
As of 8 August 2023, NIST released the draft new version of their flagship framework. Since 2014 the framework has been used widely to reduce cyber security risks and remains an effective framework for addressing cyber risks.
Brief Explanation of NIST Cyber Security Framework
The NIST Cybersecurity Framework is a set of guidelines designed to help organizations manage and reduce cybersecurity risk. Developed by the National Institute of Standards and Technology (NIST) in the United States, the framework is voluntary but widely used across different industries.
The Core provides activities and outcomes describing what an organization’s cybersecurity program should achieve. It is divided into five functions, which are further divided into categories and subcategories:
- Identify: Understand the organizational systems, assets, data, and capabilities that need protection.
- Protect: Implement safeguards to ensure the delivery of critical infrastructure services.
- Detect: Implement activities to identify the occurrence of a cybersecurity event.
- Respond: Implement activities to take action once a cybersecurity event is detected.
- Recover: Implement activities to restore capabilities or services impaired due to a cybersecurity event.
The framework is meant to be customizable and can be adapted to suit the unique risks, needs, and goals of any organization, regardless of its size or industry. It is not a one-size-fits-all solution but rather a flexible guide that can be used in conjunction with other risk management processes and cybersecurity standards.
What does the current version look like?
The current version of the NIST CSF has 5 main functions as described above, 23 categories, and 108 controls or sub-categories as NIST likes to call it.
What are the changes?
The overall scope is expanded
In general scope of the framework has been expanded to include all organizations all around the world. Therefore the original scope of critical infrastructure in the United States will be history.
- First of all title of the framework has changed. Although it is called NIST CSF, the original name for that framework was “Framework for Improving Critical Infrastructure Cybersecurity”. Now it is going to be called NIST “Cyber Security Framework”.
- NIST expanded the scope of the framework to include all the organizations. The original focus or Core on the Critical infrastructure has now changed to include all organizations.
- The original focus of the NIST CSF was to protect the organizations in the United States. This version also expanded the scope to all around to world to broaden the international use of the framework.
- New references have been included such as references to NIST Privacy Framework and NICE Workforce Framework for Cybersecurity (SP 800–181).
NIST now provides more guidance on the implementation of the controls unlike before.
- Implementation examples are added to provide notional examples of action-oriented processes to successfully implement the sub-categories or controls.
A new function — Govern
To the original functions, NIST has added an additional one called Govern. The aim of this is to cover organizational context; risk management strategy; cybersecurity supply chain risk management; roles, responsibilities, authorities; policies, processes, procedures; and oversight.
Govern functions are defined in the framework as follows:
Establish and monitor the organization’s cybersecurity risk management strategy, expectations, and policy. The GOVERN Function is cross-cutting and provides outcomes to inform how an organization will achieve and prioritize the outcomes of the other five Functions in the context of its mission and stakeholder expectations. Governance activities are critical for incorporating cybersecurity into an organization’s broader enterprise risk management strategy. GOVERN directs an understanding of organizational context; the establishment of cybersecurity strategy and cybersecurity supply chain risk management; roles, responsibilities, and authorities; policies, processes, and procedures; and the oversight of cybersecurity strategy.
Supply Chain Risk Management is on the Rise
Another big change, which I personally liked is it now emphasizes the supply chain risks. There is now a new category under Govern function to manage the supply chain risks.
More Detailed Look
Let's look into the framework itself and compare it with the previous version. In addition, I would like to walk you through all the changes that have occurred per category.
The previous version of the NIST CSF contains 108 controls and 23 subcategories.
The new draft version has 107 controls and 22 subcategories.
The main difference here is the new domain of Govern. Govern focuses on risk management, setting up and managing the risk management framework, and cyber security supply security risk management. Only the Risk Assessment (ID.RA) domain is the same as the previous version as most of the risk topics are transferred to Govern category.
Another interesting topic is the newly added Platform Security topic. This topic focuses on the software and hardware configuration security and software development lifecycle.
In this article, we took a look at the draft NIST v.2.0 cyber security framework. The framework is yet to be published yet as NIST still collects feedback to finalize the document. The expected date of the final publishment is January 2024. As always it is best to look up and familiarize yourself earlier rather than trying to catch up afterward.
From my perspective, NIST is trying to expand the technical focus on CSF and focus on information risk management at the same time.
We will see together in 2024 when the final document is published.