What is NIST CSF 2.0?
NIST CSF 2.0 is an updated version of the NIST Cybersecurity Framework that has been developed by the National Institute of Standards and Technology (NIST) to help organizations manage and reduce their cybersecurity risk. Through its guidelines, best practices, and standards, it provides organizations with a structured approach to assessing and strengthening cybersecurity posture.
Work on the NIST CSF began after Executive Order 13636 -- Improving Critical Infrastructure Cybersecurity -- was signed by United States President Barack Obama on February 12, 2013. According to this order, repeated cyber intrusions into critical infrastructure demonstrated the dire need for a cybersecurity framework. It advises that such a framework should provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach to help operators of critical infrastructure identify, assess, and manage cyber risk.
Exactly one year later, NIST CSF 1.0 -- Framework for Improving Critical Infrastructure Cybersecurity--was released to the public. It was developed through a collaboration among various stakeholders from the government, industry, and academia. Standards already set by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) also contributed to the NIST CSF. The updated NIST CSF 1.1 was released in April 2018, and NIST CSF 2.0 was released in February 2024. Its expected to evolve more over time, as it vies to be more informative, up-to-date, and useful.
As per the Executive Order, NIST CSF 1.0 was targeted to critical infrastructure organizations. However, it was apparent that the guidelines were applicable to organizations across all sectors and industries. NIST CSF 1.1 clearly states that the Framework can be used by organizations in any sector. In NIST CSF 2.0, the title, "Framework for Improving Critical Infrastructure Cybersecurity," is no longer used.
Figure 1 shows how it has evolved through the years.
Figure 1: The evolution of NIST CSF from 2013 to 2024.
NIST CSF 2.0 can be used by organizations to:
- Learn about and choose a desired security-based outcome.
- Create a plan to achieve that outcome.
- Evaluate the progress taken to attain the desired outcome.
- Assess the organization's present cybersecurity capabilities and evaluate the challenges to achieve the desired outcome.
The NIST CSF 2.0 consists of three components to help organizations reduce their cyber risk:
- Core: The Core, which is comprised of Functions, Categories, and Subcategories, describes the various security-based outcomes that organizations can choose from.
- Profiles: The CSF Profiles refer to the state of an organization's security posture in terms of outcomes. The current and target Profiles help organizations identify gaps that need to be addressed.
- Implementation Tiers: Implementation Tiers define the level to which an organization follows risk management and governance practices. They can be applied to both current and target Profiles. To achieve a target Profile, an organization should be at a target Tier as well. There are four possible Tiers or levels that organizations can be at: Tier 1 (Partial), Tier 2 (Risk-informed), Tier 3 (Repeatable), and Tier 4 (Adaptive).
Figure 2 shows the structure of NIST 2.0 and how all of this comes together.
Figure 2: The structure of NIST CSF - Framework Core, Profiles and Tiers.
Who must comply?
Complying with the NIST CSF is mandatory for US federal government agencies. Although developed as policy for the US federal agencies, the NIST CSF is also designed to accommodate the various approaches of the global business ecosystem. The framework can be adopted by organizations from any country, size, or industry.
What is new in NIST CSF 2.0?
One of the main differences between NIST CSF 1.0 and NIST CSF 2.0 is the update to the Framework Core. While the NIST CSF 1.1 Core had five functions, 23 categories, and 108 subcategories, the NIST CSF 2.0 Core has six functions, 22 categories, and 106 subcategories. Categories have also been contextually rearranged in NIST CSF 2.0. The "Govern" function has been sub-headduced to provide greater executive and stakeholder oversight over organizational cybersecurity.
NIST CSF 2.0 Core Functions
The NIST CSF 2.0 Core has six Functions:
Govern (GV)
This Function enables organizations to establish security outcomes related to governance processes. It assists in more informed decision-making, increases the effectiveness of management, and strengthens the strategic planning ability of the organization. It ensures that the organization has a defined, well-communicated, and effectively-tracked cybersecurity risk management strategy, expectations, and policies.
Identify (ID)
The Identify Function defines security outcomes related to cyber risk. The comprehensive documentation of network assets and those in the operational pipeline is the main emphasis of this function. It requires organizations to understand the risk posed by systems, people, data, services, and other assets.
Protect (PR)
Safeguarding assets from cybersecurity attacks is the aim of the Protect function. The availability and security of critical services and assets is supported by the Protect function. It also restricts or contains the impact radius of a possible cybersecurity attack.
Detect (DE)
The Detect function requires the implementation of monitoring procedures and systems in order to identify cybersecurity attacks and compromise. Using SIEM solutions integrated with anomaly detection and automated response capabilities, organizations can discover threats and respond in a timely manner.
Respond (RS)
The Respond function neutralizes a cybersecurity incident by limiting and minimizing its impact. Attack action plans are put into force, and response teams are formed in accordance with the threats that have been recognized.
Recover (RC)
The Recover function helps organizations promptly get back to the normal course of business. This lessens the impact of a cyberattack.
NIST CSF 2.0 Core Categories and Subcategories
Each of the six Functions has several Categories, which in turn have several Subcategories.
The Govern Function has these Categories:
- Organizational Context (GV.OC)
- Risk management strategy (GV.RM)
- Roles, Responsibilities, and Authorities (GV.RR)
- Policy (GV.PO)
- Oversight (GV.OV)
- Cybersecurity Supply Chain Risk Management (GV.SC)
The Identify Function has these Categories:
- Asset Management (ID.AM)
- Risk Assessment (ID.RA)
- Improvement (ID.IM)
The Protect Function has these Categories:
- Identity Management, Authentication, and Access Control (PR.AA)
- Awareness and Training (PR.AT)
- Data Security (PR.DS)
- Platform Security (PR.PS)
- Technology Infrastructure Resilience (PR.IR)
The Detect Function has these Categories:
- Continuous Monitoring (DE.CM)
- Adverse Event Analysis (DE.AE)
The Respond Function has these Categories:
- Incident Management (RS.MA)
- Incident Analysis (RS.AN)
- Incident Response Reporting and Communication (RS.CO)
- Incident Mitigation (RS.MI)
The Recover Function has these Categories:
- Incident Recovery Plan Execution (RC.RP)
- Incident Recovery Communication (RC.CO)
How to be NIST CSF 2.0 compliant?
You can think of the Categories as requirements of the NIST CSF. The subcategories are the security-based outcomes that organizations can choose from. Compliance with the NIST Cybersecurity Framework (CSF) requires a methodical approach that is customized to the unique requirements and risk profile of a company. You need to implement best practices described in other frameworks. Some of these best practices are given as examples called Informative References by NIST.
ManageEngine Log360 is a unified SIEM solution that can help you meet the requirements of the different Categories, and in turn become NIST CSF 2.0 compliant.
Identify Function
Risk Assessment (ID.RA)Under the Identify function of the NIST CSF framework, the Risk Assessment (ID.RA) category entails the methodical assessment of possible cybersecurity threats to corporate assets, operations, and stakeholders. This procedure entails determining risks and vulnerabilities, estimating the possibility and possible consequences of adverse occurrences, and setting the order of priority for risk mitigation initiatives in accordance with corporate goals and risk tolerance. Organizations may make well-informed decisions about resource allocation and apply suitable measures to mitigate identified risks by carrying out comprehensive risk assessments.
Protect Function
Data Security (PR.DS)The goal of the Data Security (PR.DS) category, which falls under the NIST CSF framework's Protect function, is to prevent unauthorized access, disclosure, or alteration of sensitive data. It entails putting controls and safeguards in place to guarantee the privacy, availability, and integrity of data at every stage of its lifecycle, including processing, transmission, and storage. Organizations may reduce the risk of data breaches, safeguard important assets, and uphold stakeholder confidence by addressing this category within the framework.
Platform Security (PR.PS)The NIST CSF framework's Protect function includes the Platform Security (PR.PS) category, which is dedicated to protecting the availability, integrity, and confidentiality of vital platforms, systems, and applications. To stop unauthorized access, exploitation, or compromise of platform components and infrastructure, security rules and safeguards must be put in place. Organizations may strengthen their defenses against cyberattacks and guarantee the stability of their IT environment by tackling platform security issues.
The Detect Function
Continuous Monitoring (DE.CM)Under the Detect function of the NIST CSF framework, the Continuous Monitoring (DE.CM) category focuses on continuous observation of systems, networks, and data to detect cybersecurity incidents in real-time or almost real-time. In order to quickly identify anomalies, indications of compromise (IOCs), and possible security events, it entails the methodical gathering, analysis, and interpretation of security-related data. Organizations might improve their overall cybersecurity posture by enhancing their capacity to identify and address new threats via the implementation of continuous monitoring procedures.
Adverse Event Analysis (DE.AE)The NIST CSF framework's detect function's Adverse Event Analysis (DE.AE) category is responsible for locating and examining adverse events, incidents, or anomalies that could point to a cybersecurity compromise or breach. It entails putting procedures and technology in place to track and evaluate logs, security alerts, and system and network activity in order to find signs of malicious activity, illegal access, or abnormal behavior. Organizations may minimize the effects of cybersecurity disasters, avoid attacker lateral movement, and prevent data loss by quickly recognizing and evaluating unfavorable situations.
The Respond Function
Incident Management (RS.MA)The Respond function of the NIST CSF architecture includes the Incident Management (RS.MA) category, which is concerned with creating reliable protocols and processes for effectively identifying, handling, and reducing cybersecurity events. It includes tasks including recognizing and evaluating incidents, organizing responses to them, and coordinating with both internal and external parties. Organizations may reduce the impact of cybersecurity events, quickly return to regular operations, and increase overall resilience against future attacks by putting effective incident management policies into place.
Incident Analysis (RS.AN)The NIST CSF framework's Respond function includes the Incident Analysis (RS.AN) category, which deals with the methodical investigation and evaluation of security events to determine their type, extent, and organizational implications. Analyzing incident data, locating attack pathways, and assessing how well the security systems in place are detecting and reducing threats are all part of this process. Organizations may improve security posture, strengthen incident response skills, and avert future occurrences by carrying out in-depth incident analysis.
Incident Mitigation (RS.MI)Within the Respond function of the NIST CSF framework, the Incident Mitigation (RS.MI) category concentrates on an organization's capacity to quickly contain the effects of cybersecurity events. It entails putting policies in place to restrict the extent of accidents, stop them from getting worse, and promptly return to regular operations. Organizations may reduce potential harm, reduce risks, and preserve business continuity in the face of cybersecurity threats by efficiently managing events.
NIST CSF 2.0 Implementation Tiers
framework's features in its cybersecurity program. It facilitates understanding the range of risk-management strategies based on the current established cybersecurity procedures.
Tiers can help enhance the cybersecurity posture of an organization. For example, they can be used to measure internal communications for a company-wide strategy for controlling cybersecurity threats. When there are more requirements or dangers, or when a cost-benefit analysis shows that reducing negative cybersecurity risks is both achievable and economical, moving up the Tiers is recommended. The different Implementation Tiers along with their descriptions are shown in the table below.
| Tier 1: Partial | Tier 2: Risk informed | Tier 3: Repeatable | Tier 4: Adaptive |
| Inconsistent, ineffective, and reactive risk management techniques that don't fully consider cybersecurity threats. | There is a certain degree of knowledge regarding cybersecurity threats, but there hasn't been much risk to the organizational management program development. | An organization-wide cybersecurity risk management program that is uniform and has procedures in place to adapt to shifting threat conditions. | An intelligent reaction system with the ability to efficiently enhance its risk management strategy using historical data and forecast indications. Cybersecurity risk management is integrated into company culture and budgetary choices in adaptive companies. |
NIST CSF 2.0 Checklist
Non-compliance to NIST CSF 2.0 can be avoided to a major extent by following certain guidelines and best practices. Here is a checklist of strategies that can help your organization strengthen its cybersecurity posture:
- Implement multi-factor authentication for all user accounts, particularly privileged ones.
- Ensure cybersecurity is considered as a built-in culture and top-down approach from top management, so strategies are designed accordingly.
- Make sure that antivirus and endpoint protection software is installed on all devices and is updated on a regular basis to guard against malware and other harmful threats.
- Identify and address vulnerabilities in software, systems, and network infrastructure, and implement frequent vulnerability assessments and scans.
- Use strong encryption techniques to safeguard the confidentiality and integrity of sensitive data while it is in transit and at rest.
- Enable logging and tracking of system modifications, file access, and logins to identify and handle unauthorized or suspect activity.
- Make sure that remote access tools like VPNs and remote desktop services are protected by robust encryption methods and authentication systems, to avoid unwanted access.
- Adopt a Zero Trust strategy for network security, where access is only allowed based on stringent permission and authentication procedures, independent of the user's location within or outside the corporate network boundary.
- Develop and test incident response and recovery procedures to guarantee that the company can respond to and recover from cybersecurity issues with little impact on business operations.
- Create a patch management procedure to systematically find, evaluate, and update software and systems with security patches to fix known vulnerabilities.
- Use DLP technologies to track, identify, and stop sensitive data from being shared or sent without authorization, both internally and externally.
Use cases
Collect and analyze logs from various sources in your environment, including end-user devices, and gain insights in the form of graphs and intuitive reports that help spot security threats. (Helps with ID.RA-03, PR.PS-04, DE.CM-01)
Identify unusual file or data accesses, cut down malicious communications from command and control servers, and prevent data from being exfiltrated. (Helps with PR.DS)
Leverage STIX/TAXII format threat feeds to discover malicious IPs, domains, and URLs through threat intelligence. (Helps with ID.RA-02)
Non-compliance implications of NIST CSF 2.0
Failure to adhere to the NIST CSF places businesses that collaborate with federal agencies at the risk of losing federal contracts or facing penalties under the Federal Acquisition Regulation. In addition, it may result in baseless litigation and unfavorable public opinion, which might be harmful to marketing and upcoming contract negotiations. Furthermore, the agency may be subject to both direct and indirect repercussions, including termination of the contract, imprisonment, dismissal for negligence, or dissolution of the concerned department. The repercussions will be dependent on the regulatory body, the relevance of the data handled, and the probable effects of the breach.
