What is the Cybersecurity Framework 2.0?
Published on February 26th, 2024, its first major update since 2014, the Cybersecurity Framework 2.0 expands on the 1.1. First, with a broader target audience, the CSF 2.0 “aims to help all organizations — not just those in critical infrastructure, its original target audience[1].” Another expanded focus is governance, the introduction of the new GOVERN Function adds emphasis to governance and supply chain risk management.
The New GOVERN Function
Adapting to the changing Cybersecurity landscape and no longer relying on policy and procedures to be developed from the bottom of the taxonomy,[2] the CSF 2.0 carves out a place higher up the order with the GOVERN Function. A good example of the GOVERN function stepping in where the previous taxonomy fell short is the control from the CSF 1.1, ID.AD-06: “Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established.[3]” Searching for that control in the CSF 2.0, you won’t find it there. ID.AD-05 and ID.AD-07 are in the CSF Core; however, ID.AD-06 has been withdrawn and Roles and Responsibilities now have their own Function, complete with its own categories and sub-categories (GV.RR-01 through GV.RR-04). Roles and Responsibilities for Supply Chain Risk Management fall under a separate Category, GV.SC, in the GV.SC-02 Sub-category.
Source: The NIST Cybersecurity Framework (CSF) 2.0
Desirable Outcomes, More Resources
Another characteristic of the CSF 2.0 is that it “describes what desirable outcomes an organization can aspire to achieve. It does not prescribe outcomes nor how they may be achieved[4].” Unlike a program such as CMMC, where OSAs who wish to store, process or transmit CUI must implement and assess the requirements of the NIST SP 800-171, the CSF does not mandate outcomes. This gives flexibility to the organization implementing the CSF 2.0.
There are a great deal of resources for all types of organizations in the CSF 2.0. Section 4, Introduction to Online Resources That Supplement the CSF provides guidance, and links for tools, references and Quick-Start-Guides (QSGs). The CSF 2.0 is adaptable and mappable to other Information References, “This catalog allows an organization to cross-reference the CSF’s guidance to more than 50 other cybersecurity documents, including others from NIST, such as SP 800-53 Rev. 5[5].”
Source: The NIST Cybersecurity Framework (CSF) 2.0
One scenario where the CSF 2.0 could be aided by an Information Reference might be the following: If an organization is looking to establish governance around an Information System, the organization should see the new GOVERN Function, and should notice that the Organizational Context Category addresses this with multiple Sub-categories. It could also be said that these sub-categories could still leave an organization with some uncertainty about what to do next. Control PL-7, Concept of Operations, from the NIST SP 800-53 catalogue might be helpful, as well as PL-2, System Security and Privacy Plans Drilling deeper into NIST guidance, you might look into the NIST SP 800-160r1v2 Developing Cyber-Resilient Systems, Chapter 3.2.1: Understand the Context. Reading the content carefully, you can extrapolate subject matter for sections that make up a Concept of Operations document. In seeking guidance from multiple other Information References, you have never actually left the CSF 2.0.
The Core, Organizational Profiles and Tiers.
Source: The NIST Cybersecurity Framework (CSF) 2.0
When using the CSF 2.0, The CSF Core (Appendix A) will be utilized most often. Described as the “nucleus of the CSF…The CSF Core components are a hierarchy of Functions, Categories, and Subcategories that detail each outcome[6].” The CSF Core could be compared to the requirements baseline in the NIST SP 800-171, addressing many of the same concerns and both having similar content updates and expansions in 2024 to focus on governance and supply chain risk management. Again, be sure to understand that the CSF 2.0 describes, it does not prescribe.
Organizational Profiles “are a mechanism for describing an organization’s current and/or target cybersecurity posture in terms of the CSF Core’s outcomes[7].” An organization can assess themselves against the CSF Core and use those results for gap analysis and progress from a Current Profile to a Target Profile, both of which combine to make the Organizational Profile[8].
There are four Tiers[9] in the CSF 2.0, Partial, Risk-Informed, Repeatable and Adaptable These Tiers “can be applied to CSF Organizational Profiles to characterize the rigor of an organization’s cybersecurity risk governance and management practices[10].” Tiers can help an organization further tailor its Organizational Profile, providing context and facilitating an organization to better allocate resources and/or spending towards its Cybersecurity practices.
Download the CSF 2.0 here: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf. And check out all the official guidance from the NIST (Cybersecurity Framework | NIST).
Need help developing an Organizational Profile, conducting a CSF 2.0 assessment, or have general CSF 2.0 question? Contact Us.
Written by:
Eric Cataline | CISSP, CGRC
Nicolaus Stengl | Sec+
[1]NIST Releases Version 2.0 of Landmark Cybersecurity Framework: https://www.nist.gov/news-events/news/2024/02/nist-releases-version-20-landmark-cybersecurity-framework.
[2] NIST Cybersecurity Framework 2.0: Section 2: “Introduction to the Core”:
[3] NIST Cybersecurity Framework 1.1: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.
[4] NIST Cybersecurity Framework 2.0: Section 1: Cybersecurity Framework (CSF) Overview:
[5] NIST Cybersecurity Framework 2.0: Section 4: Introduction to Online Resources That Supplement the CSF:
[6] NIST Cybersecurity Framework 2.0: Section 1: Cybersecurity Framework (CSF) Overview:
[7] NIST Cybersecurity Framework 2.0: Section 3.1: CSF Profiles:
[8] NIST Cybersecurity Framework 2.0: Section 3.1: CSF Profiles:
[9] NIST Cybersecurity Framework 2.0: Section 3.2: CSF Tiers:
[10] NIST Cybersecurity Framework 2.0: Section 1: Cybersecurity Framework (CSF) Overview: