NIST Cybersecurity Framework 2.0

Overview

The NIST Cybersecurity Framework (CSF) provides guidance for organizations to better manage and reduce cybersecurity risk. CSF 2.0, released February 26, 2024, represents a significant update that expands the framework's scope and adds governance as a core function.

Publication: NIST CSWP 29 (Cybersecurity White Paper)
Release Date: February 26, 2024
Developed By: National Institute of Standards and Technology (NIST)

Key Changes from CSF 1.1 to 2.0

Six Functions (Previously Five)

• NEW: GOVERN (GV) - Establishes and monitors cybersecurity strategy and expectations


• IDENTIFY (ID) - Understand assets, risks, and vulnerabilities


• PROTECT (PR) - Implement safeguards


• DETECT (DE) - Identify cybersecurity events


• RESPOND (RS) - Take action on detected events


• RECOVER (RC) - Restore capabilities after incidents

Expanded Scope

• CSF 1.1: Focused on critical infrastructure


• CSF 2.0: Applicable to ALL organizations regardless of size, sector, or maturity

New Components

• Community Profiles: Sector-specific guidance


• Organizational Profiles: Current and target state snapshots


• Enhanced supply chain guidance


• Stronger alignment with privacy and AI risk frameworks

Who Should Implement

Universal Applicability

NIST CSF 2.0 is designed for ALL organizations:

• Small businesses to large enterprises


• Nonprofit organizations


• Educational institutions


• Government agencies (federal, state, local)


• Critical infrastructure sectors (16 sectors)


• Healthcare organizations


• Research institutions


• Technology companies

Federal Requirements

• Mandatory for federal agencies (Executive Order 13800, 2017)


• Voluntary for private sector organizations


• Supply chain requirements may mandate CSF adoption for federal contractors

Massachusetts Context

While voluntary, CSF 2.0 helps Massachusetts organizations:

• Meet 201 CMR 17.00 security requirements


• Demonstrate comprehensive security program


• Align with industry best practices


• Support regulatory compliance efforts

The Six Functions

GOVERN (GV) - NEW in CSF 2.0

Purpose: Establish and monitor organization's cybersecurity risk management strategy, expectations, and policy

6 Categories:

1. GV.OC: Organizational Context

- Mission, stakeholders, activities, assets understood

1. GV.RM: Risk Management Strategy

- Priorities, constraints, risk tolerance established

1. GV.RR: Roles, Responsibilities, and Authorities

- Cybersecurity roles and responsibilities defined

1. GV.PO: Policy

- Policies aligned with mission and risk strategy

1. GV.OV: Oversight

- Results of risk management activities monitored

1. GV.SC: Cybersecurity Supply Chain Risk Management

- Supply chain risk identified, prioritized, and managed

Why GOVERN is Critical: Establishes foundation for all other functions by ensuring leadership commitment, resource allocation, and strategic alignment.

IDENTIFY (ID)

Purpose: Understand cybersecurity risks to systems, people, assets, data, and capabilities

Categories:

• Asset Management


• Business Environment


• Governance (moved to GOVERN in 2.0)


• Risk Assessment


• Risk Management Strategy (moved to GOVERN in 2.0)


• Supply Chain Risk Management (moved to GOVERN in 2.0)


• Improvement

PROTECT (PR)

Purpose: Implement appropriate safeguards to ensure delivery of critical services

Categories:

• Identity Management, Authentication, and Access Control


• Awareness and Training


• Data Security


• Information Protection Processes and Procedures


• Maintenance


• Protective Technology


• Platform Security


• Technology Infrastructure Resilience

DETECT (DE)

Purpose: Identify occurrence of cybersecurity events in a timely manner

Categories:

• Anomalies and Events


• Security Continuous Monitoring


• Detection Processes


• Threat Intelligence


• Personnel Activity

RESPOND (RS)

Purpose: Take action regarding detected cybersecurity incidents

Categories:

• Response Planning


• Response Communications


• Response Analysis


• Response Mitigation


• Incident Management

RECOVER (RC)

Purpose: Restore capabilities or services impaired due to cybersecurity incidents

Categories:

• Recovery Planning


• Recovery Improvements


• Recovery Communications

Framework Core Components

Functions > Categories > Subcategories

Structure:

• 6 Functions: High-level organization (GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER)


• 23 Categories: Specific cybersecurity outcomes


• 106 Subcategories: Detailed outcomes and activities

Example:

Function: PROTECT (PR)
  Category: PR.AC - Identity Management, Authentication, and Access Control
    Subcategory: PR.AC-1 - Identities and credentials are issued, managed, verified, revoked, and audited

Implementation Tiers

Four tiers describe degree of rigor and sophistication:

Tier 1: Partial

• Ad hoc risk management


• Limited awareness


• Reactive responses


• Irregular information sharing

Tier 2: Risk Informed

• Risk management practices approved but not policy


• Awareness but inconsistent implementation


• Some response capabilities


• Informal information sharing

Tier 3: Repeatable

• Formal risk management policies


• Consistent implementation


• Regularly updated procedures


• Formal information sharing

Tier 4: Adaptive

• Adaptive risk management


• Continuous improvement culture


• Proactive response capabilities


• Real-time information sharing

Organizational Profiles

Current Profile: Snapshot of current cybersecurity outcomes
Target Profile: Desired future state aligned with business needs

Profile Development Process:

1. Identify business objectives and priorities


2. Assess current state against Framework Core


3. Determine target state based on risk tolerance


4. Identify and prioritize gaps


5. Implement action plan to achieve target


6. Monitor and refine continuously

Community Profiles (NEW in CSF 2.0)

Sector-specific or use-case-specific guidance:

• Critical infrastructure sectors


• Small and medium businesses


• Enterprise risk management


• Supply chain


• Privacy and civil liberties


• Artificial intelligence

Informative References

CSF 2.0 maps to 50+ frameworks and standards, including:

Security Frameworks

• NIST SP 800-53 Rev. 5: Federal security controls (official mapping available)


• ISO/IEC 27001:2022: Information security management (official mapping available)


• CIS Controls v8: Center for Internet Security


• COBIT 2019: IT governance framework

Sector-Specific

• HIPAA Security Rule: Healthcare


• PCI DSS: Payment card industry


• NERC CIP: Electric sector


• FISMA: Federal information security

Privacy and Other

• NIST Privacy Framework: Privacy risk management


• NIST AI Risk Management Framework: AI risks


• NICE Workforce Framework: Cybersecurity workforce

OLIR Program: Online Informative Reference catalog at https://csrc.nist.gov/projects/olir

Relationship to Other NIST Frameworks

NIST SP 800-53 (Federal Security Controls)

• CSF 2.0: High-level, risk-based framework


• SP 800-53: Detailed security and privacy controls


• Relationship: CSF provides strategic view; 800-53 provides tactical controls


• Mapping: Official mapping available in NIST OLIR

NIST Privacy Framework

• Alignment: Both use similar structure (Core, Tiers, Profiles)


• Integration: Organizations can use both for comprehensive risk management


• Overlap: Data security controls complement privacy controls

NIST AI Risk Management Framework

• Relationship: CSF 2.0 Govern function references AI risks


• Integration: Both frameworks can be used together for AI system security

NIST Small Business Cybersecurity Resources

• Quick-Start Guides: Simplified implementation for small organizations


• Subset of CSF: Prioritized subcategories for resource-constrained environments

Implementation Guidance

Getting Started

Step 1: Establish Scope and Priorities

• Identify mission-critical systems and data


• Understand regulatory requirements


• Define risk tolerance

Step 2: Orient

• Review the six functions


• Understand categories and subcategories


• Identify applicable informative references

Step 3: Create Current Profile

• Assess current cybersecurity posture


• Document existing controls and processes


• Identify gaps and vulnerabilities

Step 4: Conduct Risk Assessment

• Identify and prioritize cybersecurity risks


• Consider threat landscape


• Evaluate likelihood and impact

Step 5: Create Target Profile

• Define desired outcomes based on risk assessment


• Align with business objectives


• Consider resource constraints

Step 6: Determine, Analyze, and Prioritize Gaps

• Compare current to target profile


• Identify specific gaps


• Prioritize based on risk and resources

Step 7: Implement Action Plan

• Develop roadmap to close gaps


• Assign responsibilities


• Allocate resources


• Establish timeline

Step 8: Monitor and Improve

• Continuously assess progress


• Update profiles as threats evolve


• Refine approach based on lessons learned

Quick-Start Guide for Small Organizations

NIST provides simplified guidance focusing on:

1. Govern: Leadership commitment and resource allocation


2. Identify: Know your assets and risks


3. Protect: Basic safeguards (MFA, encryption, backups)


4. Detect: Monitor for unusual activity


5. Respond: Have an incident response plan


6. Recover: Test backup and recovery procedures

Community Profile Utilization

Leverage sector-specific profiles:

• Healthcare: Focus on HIPAA alignment


• Financial: Emphasize PCI DSS and fraud detection


• Manufacturing: Supply chain and OT security


• Small business: Resource-optimized subset

Massachusetts Implementation Considerations

Alignment with 201 CMR 17.00

CSF 2.0 supports MA data security compliance:

201 CMR 17.00 Requirement → CSF 2.0 Mapping:

• WISP Required → GOVERN function (GV.PO - Policy)


• Encryption → PROTECT (PR.DS-1, PR.DS-2 - Data Security)


• Access Controls → PROTECT (PR.AC - Access Control)


• Monitoring → DETECT (DE.CM - Continuous Monitoring)


• Incident Response → RESPOND function


• Vendor Management → GOVERN (GV.SC - Supply Chain)

Benefits for MA Organizations

1. Demonstrates Comprehensive Program: CSF implementation shows "reasonable" security measures


2. Regulatory Alignment: Maps to multiple MA and federal requirements


3. Risk-Based Approach: Flexible implementation based on organization size


4. Common Language: Facilitates communication with stakeholders, vendors, insurers

Critical Infrastructure in Massachusetts

MA has significant critical infrastructure:

• Healthcare and public health (hospitals, research institutions)


• Energy (utilities)


• Financial services (banking, insurance)


• Information technology


• Transportation

CSF 2.0 provides sector-specific guidance for these industries.

Voluntary vs. Mandatory Nature

Core Principle: Voluntary

• CSF was created as voluntary framework for private sector


• Risk-based, flexible approach respects organizational diversity


• No certification or compliance audit process

Federal Government: Mandatory

Executive Order 13800 (May 2017):

• All federal agencies must use NIST CSF


• Agencies report cybersecurity posture using CSF


• OMB requires CSF implementation

Executive Order 13636 (February 2013):

• Originally directed NIST to create CSF for critical infrastructure


• Established voluntary public-private partnership model

When CSF May Be Required

Supply Chain Requirements:

• Federal contractors may be required to adopt CSF


• Prime contractors may mandate CSF for subcontractors


• CMMC (Cybersecurity Maturity Model Certification) references CSF

Cyber Insurance:

• Some insurers require or incentivize CSF adoption


• May reduce premiums or improve coverage

Industry Standards:

• Some sectors adopt CSF as industry baseline


• Professional associations may recommend CSF

State and Local Government:

• Some states adopt CSF for government agencies


• May extend to contractors and critical infrastructure

Benefits of Voluntary Approach

1. Flexibility: Organizations adapt framework to their needs


2. Scalability: Applies to organizations of all sizes


3. Innovation: Encourages creative solutions


4. Efficiency: Avoid one-size-fits-all mandates


5. Collaboration: Foster public-private partnerships

Resources and Tools

Official NIST Resources

• CSF 2.0 Full Document: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf


• CSF Website: https://www.nist.gov/cyberframework


• CSRC CSF Page: https://csrc.nist.gov/projects/cybersecurity-framework


• Getting Started Guide: https://www.nist.gov/cyberframework/getting-started


• Quick-Start Guides: Sector and size-specific guidance


• Community Profiles: https://www.nist.gov/cyberframework/profiles

Implementation Tools

• NIST CSF Reference Tool: Online tool for exploring framework


• CSF Templates: Profile templates and worksheets


• Crosswalks: Mappings to other frameworks in OLIR catalog


• Training Materials: Webinars, presentations, case studies

Support Resources

• NIST NCCoE (National Cybersecurity Center of Excellence): Example implementations


• ICS-CERT: Industrial control systems guidance


• NIST Small Business Resources: Simplified guidance for SMBs


• InfraGard: Public-private partnership for infrastructure protection

Success Metrics

Organizations implementing CSF 2.0 can measure success through:

1. Profile Maturity: Progress from current to target profile


2. Tier Advancement: Movement through implementation tiers


3. Risk Reduction: Decrease in identified cybersecurity risks


4. Incident Metrics: Reduced frequency, severity, recovery time


5. Compliance Alignment: Improved alignment with regulatory requirements


6. Stakeholder Confidence: Enhanced trust from customers, partners, board


7. Cost Efficiency: Optimized cybersecurity investments

Official Resources

• NIST CSF 2.0 (CSWP 29)


• NIST Cybersecurity Framework Website


• CSRC CSF Project Page


• CSF Reference Tool


• NIST OLIR (Online Informative References)