<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

CyberStrong, NIST Cybersecurity Framework, Cyber Risk Management

NIST CSF 2.0: What You Need to Know About the Latest Changes


The NIST CSF was first released in 2014, and since then, it has been adopted by thousands of organizations. The NIST Cybersecurity Framework has profoundly impacted the industry by promoting consistent cybersecurity practices, fostering collaboration and information sharing, and establishing a common language and understanding of cybersecurity concepts. The ultimate goal has been improved resilience, reduced cyber threats, and a more secure digital landscape for organizations and society.

Organizations across various sectors use the NIST CSF, including government, healthcare, financial services, and manufacturing. NIST does maintain a public database of organizations that have publicly stated that they use the NIST CSF, and over 4,000 organizations are listed in the Cybersecurity Framework Users’ Community. 

Changes Made to NIST CSF

NIST periodically updates the CSF with its last update in 2018, version 1.1. Periodic revisions ensure the framework remains relevant and effective against the evolving cybersecurity threat landscape and technological changes. NIST CSF 2.0 has been long awaited and was driven by several factors, including: 

  • Changes in the threat landscape: The CSF must include measures reflecting the evolution of cyber threats to remain effective. 
  • Technological advancements: Endpoint technology, applications, and software are constantly changing. As cloud computing, AI, and IoT usage take off, the updated CSF will include changes relevant to this technology. 
  • Feedback from thought leaders: NIST considers input from leaders and stakeholders from critical industries, government, and academia. 
  • New regulations and standards: The NIST CSF was built to be aligned with other standards and frameworks, like ISO 27001 and GDPR, to enhance usage and flexibility. The revision will reflect changes made to relevant frameworks. 

NIST CSF Version 2.0 will also address critical areas, like supply chain risk management, privacy risk management, and more significant cybersecurity measures to ensure its relevance for the next decade. Considering the broad usage of the NIST CSF, the new revision will remove specific mention of critical infrastructure to emphasize the framework's applicability to organizations in any industry. NIST has also taken the step of reorganizing particular categories and sub-categories more logically. 

The New Govern Function

The new revision will add a new core function: Govern. “Govern” will focus on organizational context, risk management strategy, policies, and roles and responsibilities. In addition, this new draft will also include improvements and new categories within each core framework function - with specific emphasis on technology resilience, incident response management, and continuous improvement. 

“Adding the Govern function and making that step 1 of the available line-up is a key takeaway. It stresses the top-down approach to cybersecurity and risk management. This puts the onus on the executive leadership team to play an active part in their organization's cyber risk management program,” explained Cathy Olieslaeger, Director of Customer Success at CyberSaint.

“Whether it is to set risk management strategy, organizational risk tolerance, and risk treatment prioritization guidance, and play an active part in the life-cycle of risk management, the executive leadership responsibilities are set in this new framework," said Olieslaeger. "The buck ends with them.”

NIST will also include improvements to the guidance on framework implementation and alignment and usage for assessments. The revision builds on the NIST CSF’s proactive risk-based approach to cyber risk management and emphasizes the importance of cyber to all organizations and leaders. 

"NIST CSF 2.0 empowers businesses to up-level their cyber risk management maturity in governance by fostering a proactive approach, enabling them to anticipate and address emerging cyber threats while fostering a culture of continuous improvement,” said Jerry Layden, CEO of CyberSaint. "By incorporating NIST CSF 2.0's new principles, businesses can establish a strong foundation for making informed decisions, allocating resources, and embedding cybersecurity throughout the organization's culture and operations."

Build for the Future with CyberSaint and NIST 

With cybersecurity at the forefront of concerns for leaders, the release of NIST CSF 2.0 validates the importance of cyber risk management and also sets forth a notion of aligning different frameworks for a more cohesive approach. "Although not included in the current draft, I'm looking forward to seeing how NIST continues to better align the CSF with other NIST resources and publications," explained Steve Torino, VP of Solutions Architecture at CyberSaint. "The inclusion of a new Governance function highlights the importance of cyber risk management."

As a leading cyber risk management platform, CyberStrong is built around the NIST CSF and complements the CSF’s progressive approach to holistic and proactive cybersecurity risk management. With CyberStrong, security professionals can leverage a single interface to view real-time risk scores and use live updates to inform cyber and business decisions. 

Learn more about our all-in-one cyber risk management platform and how we align with NIST CSF 2.0 in a demo

You may also like

Benchmarking Your Cyber Risk ...
on September 25, 2023

Benchmarking your organization against the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a valuable step towards improving cybersecurity ...

Security Posture Management: The ...
on September 27, 2023

Cybersecurity is a complex and dynamic field, and there are several elements that security teams must continuously monitor and manage to protect an organization's security ...

Stay One Step Ahead: A Guide to ...
on September 1, 2023

Cyber risk monitoring aims to proactively manage and mitigate cyber risk to protect an organization’s valuable assets and sensitive data. This process involves regularly ...

How to Create a Cybersecurity Risk ...
on August 22, 2023

For years, the discourse in IT has been centered around cybersecurity. Yet, with the volume of cyber attacks increasing, professionals have developed a more holistic approach to ...

How to Mitigate Cyber Risks in ...
on August 18, 2023

Supply chains are complex networks of organizations, people, processes, information, and resources, all collaborating to deliver goods and services to end consumers. Due to their ...

Conducting a Cyber Risk ...
on August 11, 2023

Cyber risk has become increasingly pervasive in almost every industry. From the new SEC cyber regulations to industry standards like the NIST CSF and HIPAA, regulatory bodies are ...