Released on Feb 26, 2024, the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) 2.0 is an updated version of the original NIST CSF, and is designed to help organizations manage and mitigate cybersecurity risks. The 2.0 update expands the scope and applicability of the framework to cover more types of organizations and industries, including the private sector, government and nonprofits.
NIST CSF 2.0 provides a structured approach to identifying, protecting, detecting, responding to and recovering from cyber threats. It builds upon the original framework by incorporating new features, methodologies and recommendations that address the evolving cybersecurity landscape. It also introduces enhancements over its predecessor, including greater flexibility, a broader scope and better integration with global standards. A new „govern“ function has been introduced in the updated version that focuses on aligning cybersecurity practices with organizational goals and risk management.
The NIST CSF 2.0 framework is widely adopted across various industries, particularly in the United States, to improve the resilience of critical infrastructure against cyber threats. Its guidance can be customized to meet the specific needs of different organizations, regardless of size or sector.
What is compliance with NIST CSF 2.0?
Compliance with the NIST CSF 2.0 involves adhering to updated guidelines to manage and reduce cybersecurity risk. The updates in 2.0 organize cybersecurity efforts into six core functions that provide a comprehensive strategy for organizations to prioritize their cybersecurity activities and align them with business goals and regulatory requirements:
1. Govern: Understand organizational strategy and policy
This new addition in version 2.0 of the CSF emphasizes the importance of establishing and maintaining governance structures to align cybersecurity efforts with the organization’s mission and risk tolerance. It includes defining roles, responsibilities and policies to guide decision-making. Best practice identity security frameworks can help achieve these goals.
2. Identify: Map organizational assets and risks
Develop an understanding of the cybersecurity risks to systems, assets, data and capabilities. It includes asset management, business environment understanding, governance and risk assessment to prioritize efforts.
3. Protect: Secure risky assets
Implement safeguards across hybrid and multi-cloud environments to ensure the delivery of critical infrastructure services. This includes access control, awareness and training, data security and maintenance processes that mitigate the impact of potential incidents. Several identity security best practices can help here, such as implementation of least privilege access or the emerging strategy of providing access with zero standing privileges.
4. Detect: Find and analyze attacks
Identify the occurrence of cybersecurity events in a timely manner. It includes continuous monitoring, anomaly detection and other activities that ensure threats are identified early to minimize damage. Centralized audit and identity threat detection and response (ITDR) capabilities should be applied consistently across all sessions.
5. Respond: Act upon and contain attacks
After detecting a cybersecurity incident, develop and implement appropriate steps to contain the impact of an incident such as planning, communications, analysis, mitigation and improvement.
6. Recover: Restore affected assets
Maintain plans for resilience and restoring any capabilities or services that were impaired due to a cybersecurity event, including recovery planning, improvements and communication with stakeholders during and after recovery efforts. Of note for identity security programs, privileged access management controls can also assist recovery efforts by rotating credentials to terminate attacker sessions and regain organizational control.
Identity security and the NIST CSF 2.0 framework
Identity security is integral to compliance with NIST CSF 2.0, particularly in the framework’s “Protect” and “Detect” functions. As the framework evolves to address the complexities of modern cybersecurity threats, securing identities—both human and non-human—becomes paramount. Implementing identity security measures like privileged access management (PAM), multi-factor authentication (MFA) and continuous monitoring helps organizations protect against unauthorized access, insider threats and potential breaches. These measures ensure that only authorized identities can access sensitive systems and data, which is a cornerstone of NIST CSF 2.0 compliance.
Identity Security Requirements of the NIST CSF 2.0 Framework
Function | Function Category | Supported Subcategories (selected) |
Govern | GV.RM: Risk Management |
|
GV.SC: Supply Chain Risk |
|
|
Identify | ID.RA: Risk Assessment |
|
Protect | PR.AA: Identity Management, Authentication and Access Control |
|
PR.AT: Awareness & Training |
|
|
PR.PS: Platform Security |
|
|
PR.IR: Tech Infrastructure Resilience |
|
|
Detect | DE.CM: Continuous Monitoring |
|
DE.AE: Adverse Event Analysis |
|
|
Respond | RS.MA: Incident Management |
|
RS.MI: Incident Mitigation |
|
|
Recover | RC.RP: Incident Recovery Plan Execution |
|
NIST CSF 2.0 use cases
NIST CSF 2.0 is applicable across different sectors, helping organizations of all sizes and industries to strengthen their cybersecurity defenses, manage risks and ensure regulatory compliance.
Critical infrastructure protection: Organizations managing critical infrastructure, such as energy, water, and transportation systems, use NIST CSF 2.0 to identify vulnerabilities, protect against threats and ensure the continuity of essential services.
Regulatory compliance: The framework provides a structured approach to demonstrate compliance with industry-specific regulatory requirements, such as those in finance (e.g., GLBA, SOX) and healthcare (e.g., HIPAA). and standards.
Small and medium-sized enterprises (SMEs): The framework’s flexibility allows smaller organizations to implement cybersecurity measures that align with their resources and risk levels.
Incident response and recovery: NIST CSF 2.0’s emphasis on detection, response and recovery functions makes it a valuable tool for organizations seeking to improve incident response plans and recover more effectively from cybersecurity incidents.
Learn more about NIST CSF 2.0
- Addressing the NIST CyberSecurity Framework 2.0 With Identity Security
- How to Align Your Security Strategy with NIST Cybersecurity Framework 2.0
- Prepare for a New NIST Era Webinar