The NIST CSF was first released in 2014, and since then, it has been adopted by thousands of organizations. The NIST Cybersecurity Framework has profoundly impacted the industry by promoting consistent cybersecurity practices, fostering collaboration and information sharing, and establishing a common language and understanding of cybersecurity concepts. The ultimate goal has been improved resilience, reduced cyber threats, and a more secure digital landscape for organizations and society.
Organizations across various sectors use the NIST CSF, including government, healthcare, financial services, and manufacturing. NIST does maintain a public database of organizations that have publicly stated that they use the NIST CSF, and over 4,000 organizations are listed in the Cybersecurity Framework Users’ Community.
Changes Made to NIST CSF
NIST periodically updates the CSF with its last update in 2018, version 1.1. Periodic revisions ensure the framework remains relevant and effective against the evolving cybersecurity threat landscape and technological changes. NIST CSF 2.0 Govern has been long awaited and was driven by several factors, including:
- Changes in the threat landscape: The CSF must include measures reflecting the evolution of cyber threats to remain effective.
- Technological advancements: Endpoint technology, applications, and software are constantly changing. As cloud computing, AI, and IoT usage take off, the updated CSF will include changes relevant to this technology.
- Feedback from thought leaders: NIST considers input from leaders and stakeholders from critical industries, government, and academia.
- New regulations and standards: The NIST CSF was built to be aligned with other standards and frameworks, like ISO 27001 and GDPR, to enhance usage and flexibility. The revision will reflect changes made to relevant frameworks.
NIST CSF Version 2.0 will also address critical areas, like supply chain risk management, privacy risk management, and more significant cybersecurity measures to ensure its relevance for the next decade. Considering the broad usage of the NIST CSF, the new revision will remove specific mention of critical infrastructure to emphasize the framework's applicability to organizations in any industry. NIST has also taken the step of reorganizing particular categories and sub-categories more logically.
The New Govern Function
The new revision will add a new core function: Govern. “Govern” will focus on organizational context, risk management strategy, policies, and roles and responsibilities. In addition, this new draft will also include improvements and new categories within each core framework function - with specific emphasis on technology resilience, incident response management, and continuous improvement.
“Adding the Govern function and making that step 1 of the available line-up is a key takeaway. It stresses the top-down approach to cybersecurity and risk management. This puts the onus on the executive leadership team to play an active part in their organization's cyber risk management program,” explained Cathy Olieslaeger, Director of Customer Success at CyberSaint.
“Whether it is to set risk management strategy, organizational risk tolerance, and risk treatment prioritization guidance, and play an active part in the life-cycle of risk management, the executive leadership responsibilities are set in this new framework," said Olieslaeger. "The buck ends with them.”
NIST will also include improvements to the guidance on framework implementation and alignment and usage for assessments. The revision builds on the NIST CSF’s proactive risk-based approach to cyber risk management and emphasizes the importance of cyber to all organizations and leaders.
"NIST CSF 2.0 empowers businesses to up-level their cyber risk management maturity in governance by fostering a proactive approach, enabling them to anticipate and address emerging cyber threats while fostering a culture of continuous improvement,” said Jerry Layden, CEO of CyberSaint. "By incorporating NIST CSF 2.0's new principles, businesses can establish a strong foundation for making informed decisions, allocating resources, and embedding cybersecurity throughout the organization's culture and operations."
Build for the Future with CyberSaint and NIST
With cybersecurity at the forefront of concerns for leaders, the release of NIST CSF 2.0 validates the importance of cyber risk management and also sets forth a notion of aligning different frameworks for a more cohesive approach. "Although not included in the current draft, I'm looking forward to seeing how NIST continues to better align the CSF with other NIST resources and publications," explained Steve Torino, VP of Solutions Architecture at CyberSaint. "The inclusion of a new Governance function highlights the importance of cyber risk management."
As a leading cyber risk management platform, CyberStrong is built around the NIST CSF and complements the CSF’s progressive approach to holistic and proactive cybersecurity risk management. With CyberStrong, security professionals can leverage a single interface to view real-time risk scores and keep track of NIST CSF updates.
Learn more about our all-in-one cyber risk management platform and how we align with NIST CSF 2.0 in a demo.
