Understanding the Impact of NIST CSF 2.0: Key Updates and Their Significance

ARTICLE | August 28, 2024

Authored by RSM US LLP

The National Institute of Standards and Technology (NIST) recently released version 2.0 of their Cybersecurity Framework (CSF) with the aim of helping organizations proactively address their risks and protect the assets, processes and data that enable their business.

Like its predecessor, v2.0 provides the building blocks for organizations to establish and maintain a robust cybersecurity strategy. Additionally, as with v1.1, v2.0 is well-suited for middle market organizations in any industry, since it can be adapted to an organization’s business objectives, challenges, resources, regulatory landscape and risk tolerance.

While several elements of v2.0 will be familiar to those who have already aligned to v1.1, some prominent changes are worth noting. These changes are designed to address the evolution of threat environments, attacker techniques and compliance regulations. Moreover, these changes continue to emphasize the importance of a holistic, proactive approach to cybersecurity—where cybersecurity is not just an afterthought or a subfunction of IT, but rather integrated into enterprise risk management and business as usual.

Version 2.0 aims to empower organizations to enhance their cybersecurity maturity in a way that enables their business and mitigates risk across the board.

In this article, we dig a little deeper into significant changes between v1.1 and v2.0—the most notable of which are related to cybersecurity governance, supply chain risk management and process improvements. Understanding and implementing these changes will help you improve your risk posture and make more informed business decisions.

Big change No. 1: Governance

One of the most obvious changes from v1.1 to v2.0 is the addition of the “Govern” function.

Version 1.1 was comprised of 108 controls (or subfunctions), which were sorted into 23 domains (or categories). These categories were organized into five functions, which represented core outcomes of a cybersecurity program: Identify, Protect, Detect, Respond and Recover.

Version 2.0 shuffled various subfunctions and added a new function: Govern. This new function is designed to help organizations establish and monitor their cybersecurity risk management strategy, expectations and policy. As such, Govern contains concepts including but not limited to:

  • Defined roles and responsibilities
  • Formal oversight and program reporting structures
  • Documented policies and procedures
  • Integrated risk management

Govern encourages organizations to elevate transparency, increase accountability, and regularly review and update the cybersecurity practice.

The concepts in Govern are not entirely new to the CSF. For example, in v1.1, cybersecurity roles and responsibilities were baked into various categories. In v2.0, roles and responsibilities are consolidated into a single category within Govern. This restructuring shows how formal roles and responsibilities are a critical success factor worthy of focused attention and effort.

By concentrating and expanding governance controls into their own function, v2.0 emphasizes the foundational role that governance plays. The introduction of the Govern function helps organizations set up the kind of structure that is not only echoed throughout the rest of the CSF but also facilitates compliance with the rest of the framework.

Big change No. 2: Supply chain risk management

Supply chain risk management was a key part of v1.1, but it has a new home in the Govern function of v2.0. This reshuffling highlights the integral role that third parties play in supporting key business functions, given the interconnectedness of the global supply chain and the prevalence of outsourced processes and technologies. This interconnectedness brings both immense benefit and increased risk, necessitating the presence of strong governance structures.

Notably, middle market organizations are increasingly leveraging cloud service providers to provide infrastructure, software, computing, storage and other services. For many organizations, this approach drives efficiency, supports resiliency and lowers costs. Yet outsourcing these functions to service providers does not eliminate risk or absolve an organization of its responsibilities. Organizations still need to proactively identify and govern these third parties throughout the relationship, and following the guidance laid out in NIST CSF v2.0 will help.

The supply chain risk management category in NIST CSF v2.0 aims to help organizations manage cybersecurity risk across a complex network of third-party entities (acquirers, suppliers, developers, cloud providers, etc.). To do so, third-party management cannot be just an IT or legal task, but instead needs a comprehensive strategy that spans across the enterprise risk management landscape.

This category provides guidelines to help organizations:

  • Gain visibility into your entire third-party ecosystem
  • Understand how service providers support key business systems and processes
  • Respond to third-party data breaches
  • Manage instability in the supply chain
  • Map how data is shared with third parties
  • Support resiliency efforts through effective use of third parties
  • Define third-party responsibilities during an outage or incident

Positioning the supply chain risk management category in the Govern function underscores how third-party risk management is not merely a matter of implementing a handful of controls. Instead, it requires a cohesive process and strategy that will ultimately help organizations meet the objectives laid out in the rest of the NIST CSF.

Big change No. 3: Improvement

The third major update is the increased emphasis on continuous improvement. In v1.1, both Respond and Recover had “improvement” categories, but in v2.0, the “improvement” category was added to the Identify function. The move highlights how continuous improvement should be an element of the entire cybersecurity program, not just incident response and recovery procedures. Rather than waiting for cybersecurity gaps to be exposed by threat actors, the “improvement” category urges organizations to be intentional about reviewing and enhancing their processes.

In a time when technology, market demands and attacker techniques are rapidly changing, cybersecurity programs need to address threats without causing excessive friction for the business. This requires programs to be both adaptive and agile, while also being measurable and repeatable. To accomplish this, organizations need to have a robust means of assessing the effectiveness of their cybersecurity programs, which could include:

  • Metrics and benchmarking
  • Key performance indicators
  • An internal audit function
  • Risk assessments and security tests at defined cadences
  • A culture of improvement reinforced through regular training
  • A reporting structure where cybersecurity threats, strategies, goals, metrics and performance can be reported to key stakeholders

Furthermore, integrating the Deming cycle (plan, do, check, act) into each cybersecurity process is a simple but effective way to pursue consistent progress and risk mitigation. This involves planning (establishing goals and processes to achieve results), doing (implementing procedures and controls), checking (analyzing and testing whether you’ve met your objectives) and acting (adjusting processes based on identified improvements). By doing so, organizations can be proactive in identifying areas of improvement and assessing whether the trajectory of cybersecurity efforts will position the organization to meet upcoming challenges.

How to accommodate these changes

As we’ve discussed, v2.0 of the NIST CSF will move organizations to identify and manage the risks in their environment more proactively. This version of the framework encourages an even more integrated and intentional approach, with the goal of establishing foundational cybersecurity strategies and governance models that will put your organization in a good position to manage risks, despite how threat landscapes and business needs may change.

If you have already aligned your cybersecurity program with NIST CSF v1.1, then you already have the building blocks for alignment with NIST CSF v2.0. You may need to take a deep dive into the specific areas where these changes are concentrated, but you will already have a good starting point.

If you have not aligned with the NIST CSF, or even if you are in the beginning stages of building out your cybersecurity program, there is no better time to start. The NIST CSF is designed to be adaptable to any organization of any size in any industry—from organizations with a small footprint and a small team to organizations with a global footprint and a very mature cybersecurity program.

NIST provides a plethora of CSF support, from quick start guides to in-depth implementation guidance around specific topics (such as supply chain risk management, enterprise risk management, vulnerability management, etc.).

Furthermore, no matter the maturity of your cybersecurity program or the status of NIST CSF implementation, a NIST CSF gap assessment or maturity assessment will be beneficial. This assessment identifies and prioritizes cybersecurity improvements in your environment.

Source: RSM US LLP.
Reprinted with permission from RSM US LLP.
© 2024 RSM US LLP. All rights reserved. https://rsmus.com/insights/services/risk-fraud-cybersecurity/understanding-impact-nist-csf-2-0-key-updates-significance.html

RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent assurance, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/about for more information regarding RSM US LLP and RSM International.