Technology, business processes, and working environments have changed significantly in recent years. Remote work has become common, cloud computing is ubiquitous, and technologies like GenAI are entering the workplace. These types of changes attract exploitation by cybercriminals. The National Institute of Standards and Technology (NIST) collaborates across all sectors to develop cybersecurity frameworks that help to manage and mitigate cyber-risk. The NIST Cybersecurity Framework (NIST CSF) is a series of security best practices that guide organizations in implementing policies, processes, and measures that prevent and protect against cyber-attacks.

A brief history of the NIST Cybersecurity Framework 2.0

NIST has been involved in developing the CSF since the release of CSF 1.0 in 2014. In 2018, NIST released an update, CSF 1.1, in response to changes in the security threat landscape. However, this evolving landscape continues to challenge companies worldwide. In 2022, NIST began developing an update to its CSF. This update, NIST CSF 2.0, was released on February 26, 2024. 

NIST CSF was originally meant for healthcare, manufacturing, and utilities containing critical infrastructures. However, NIST can now showcase companies in many sectors that have benefited from applying the CSF’s principles.

Components and pillars of NIST CSF 2.0

NIST CSF does not advocate a one-size-fits-all approach to cybersecurity. Instead, the CSF acts as a series of guidelines around a framework. These guidelines can be adapted to the unique cybersecurity requirements of each company. The ethos of the CSF is to act in synchronicity with other aspects of a business. NIST suggests that CSF be deployed to combat risks that are “financial, privacy, supply chain, reputational, technological, or physical in nature.” Ultimately, the NIST CSF is about managing and mitigating risks in the long term.

NIST CSF 2.0 is made up of three components:

1. CSF core: Describes a hierarchy of functions, categories, and subcategories with related cybersecurity outcomes. The framework is designed to be accessible to a broad enterprise audience.

2. CSF Organizational Profiles: Describe the company’s cybersecurity posture in the context of the aims of the CSF Core.

3. CSF tiers: Define the company's approach to risk governance and management of risks. Connects risk approach to the CSF Organizational Profile.

These three core components are used to “understand, assess, prioritize, and communicate cybersecurity risks.”

Within the CSF core, NIST CSF 2.0 is split into five core functions connected by a sixth — the governance layer. Each function is connected to the previous function; together, they form a cybersecurity risk management process. (Source: NIST CSF.)

Each function offers a series of guidelines on how to best handle this aspect of cybersecurity risk management. The six CSF functions are explained below:

Governance

An overarching function that governs how the output of the other five functions are handled. The context of the Governance layer is to prioritize these outcomes in line with stakeholder expectations. The Governance layer connects an organization's cybersecurity goals with its enterprise risk management (ERM) strategy.

Identify

This essential layer relates business functions to cybersecurity risk. It provides the intelligence and visibility needed to establish and prioritize risks within an organization. “Identify” outcomes allow an organization to align its risk management strategy with business goals.

Protect

The Protect function suggests security measures and safeguards that will reduce risk in critical infrastructures and networks. Measures include “identity management, authentication, and access control; awareness and training; data security; platform security.”

Detect

This function focuses on the detection and analysis of indicators of potential security events, including best practices in incident response and recovery.

Respond

This function provides guidelines on how to best contain a cybersecurity incident — areas include incident management, analysis, mitigation, and dealing with the fallout of a cybersecurity attack.

Recover

This function offers guidelines for  restoring assets and operations after an attack has happened. It includes communication strategies for dealing with a post-attack scenario.

Sectors that benefit from NIST CSF 2.0

Originally developed to mitigate security risk in critical infrastructures, the NIST CSF 2.0 was updated to offer essential security advice for all sectors. Some of the sectors that can most benefit from applying the CSF framework are data-driven industries, including the tech sector, and highly regulated industries, such as healthcare and financial. NIST highlights its success across different sectors, such as government and education, in its success stories showcase.

NIST CSF 2.0 and identity and access management (IAM)

Identity and access management (IAM) plays a significant role in cybersecurity and NIST CSF 2.0. NIST says of IAM, "NIST seeks to ensure the right people and things have the right access to the right resources at the right time." 

IAM provides access governance and management, identity proofing, and access privilege enforcement, which are needed for the development and implementation of the safeguards expected by NIST CSF 2.0. In terms of NIST CSF 2.0 compliance, IAM is a strategic security and governance measure that impacts the six functions of NIST CSF. 

IAM provides the capability needed to identify users and assets and enforce the privileged use of those assets: the effective application of IAM provides visibility and control of user access to critical assets. Privileged access management tools (PAM) ensure that critical assets are monitored and cataloged. The use of IAM and PAM aligns with NIST's tenet of the right people having access to the right resources at the right time. 

Digital IAM is vital to managing and controlling interactions across an entire enterprise. Employees, non-employees, suppliers, and customers all fall under the CSF guidelines. Using IAM tools, the principle of least privilege can be applied. This principle is enforced using robust authentication and authorization, which verifies user identity when access requests are made. 

By managing digital identity and ensuring that access and authorization to critical resources are controlled, an organization can meet many of the requirements of NIST CSF 2.0

The NIST framework references other NIST publications for guidance and advice on establishing the five CSF functions. Publications include NIST Special Publication 800-53 Revision 5: Security and Privacy Controls for Information Systems and Organizations.

Why is NIST CSF compliance important?

The cybersecurity threat landscape impacts a broad range of systems, from core business operations to the supply chain and customers. A business affected by a cyber-attack can expect to lose money and time, and to see their reputation damaged. An organization that complies with a respected cybersecurity framework like NIST CSF 2.0 demonstrates a commitment to cybersecurity. The NIST CSF offers a common set of standards across all sectors. In terms of supply chain management, having vendors comply with common standards helps with interoperability, auditability, and visibility. To summarize, the major benefits of complying with the tenets of NIST CSF 2.0 are:

1. Development of a robust, best practice, security risk management posture.

2. Demonstrating to customers and partners that your company is serious about security.

3. A robust security posture helps meet data security regulations such as HIPAA and SOC 2.

4. Protecting your business against damaging cyber-attacks such as data breaches and ransomware infections.

5. Keeping ahead of security threats by following guidelines developed in collaboration with industry experts.

Comparing NIST CSF 2.0 with other security frameworks

SOC 2

NIST CSF 2.0 is a voluntary framework that offers guidance on cybersecurity risk management, while SOC 2 is a compliance standard that requires certification. Both SOC 2 and NIST CSF focus on cybersecurity risk management and take a risk-based approach to reducing cybersecurity risk.

A significant difference between the two is that NIST CSF focuses on preventing and mitigating cyber risks, whereas SOC 2 is about detecting and responding to cyber risks.

ISO 27001

ISO 27001 is an international standard for securing an information security management system (ISMS). Both ISO 27001 and NIST CSF 2.0 provide guidelines for establishing a robust security posture. However, there are some core differences. ISO 27001 is an international standard, whereas NIST CSF was designed for a U.S. audience (although it applies to organizations worldwide). The two frameworks overlap, and they have security guidelines and best practices in common. ISO 27001 is typically used by organizations that already have an established security posture. NIST CSF could be used to achieve that posture before embarking on ISO 27001 compliance.

ISO 27001 requires audits and certifications to meet the standard. NIST CSF is voluntary.

NIST CSF 1 vs. NIST CSF 2

CSF 2.0 has been updated to reflect new cyberthreats. An important update to NIST CSF 1 is the inclusion of the governance function. Other features added to NIST CSF 2.0 are:

• Greater accessibility and guidance for smaller organizations.

• Attention to supply chain risk management, engagement with federal agencies, and international coordination.

• Ability to generate current and target state “Organizational Profiles.” This helps an organization to check progress.

• A CSF 2.0 Reference Tool: a set of online resources.

• Documentation offering examples of implementation.