Navigating the NIST CSF 2.0 Changes
Is your organization pursuing a shift from the NIST Cybersecurity Framework (CSF) 1.1 to 2.0? We know it’s another task to add to what is likely a long list. At first glance, this may seem daunting, so we’ll share our tips on how to streamline the transition and make it as painless as possible to navigate some of the key NIST CSF 2.0 changes.
Since the new release, our team of cybersecurity consultants has had the opportunity to work with our clients on adapting to the changes. Through that process, we have discovered some key takeaways for those familiar with NIST CSF 1.1 who have an interest in mapping to 2.0. This blog will review the key NIST CSF 2.0 changes and then look at structural changes in 2.0 and show you how to navigate them. We’ll also highlight some essential resources provided by NIST to support your transition.
Summary of Changes
NIST CSF 2.0 was released in its final version on February 26, 2024, following a public comment period. Our team published a blog on the changes in the draft version, which are still applicable in the final version. The final version is largely the same as the draft, although there were some categories moved and there were wording changes for some categories and subcategories.
The biggest change was the addition of a sixth function called Govern, which is dedicated to cybersecurity leadership, strategy, planning, and oversight. Govern also puts more emphasis now on Supply Chain Risk Management (also known as Third-Party Risk Management and Vendor Risk Management), which LMG Security has been highlighting as a top security control of 2024. If you’re looking for additional information beyond the policy advice in this blog, check out our recent Third-Party Risk Management (TPRM) blog where we dive into TPRM best practices.
Mapping NIST CSF 1.1 to NIST CSF 2.0 Changes
The NIST CSF 2.0 changes and additions are valuable, but navigating the specific changes in the framework requires some research and mapping. Our team learned a lot about this as we moved from the initial draft review to implementing the framework in practice.
Before we dig into the details, here is a quick refresher on NIST CSF terminology related to the framework’s structure:
- Function: NIST CSF 2.0 is organized into six high-level functions that describe outcomes for managing cybersecurity risk. The functions are Govern, Identify, Protect, Detect, Respond, and Recover.
- Category: Each function is made up of categories, which describe more specific outcomes that comprise the function.
- Subcategory: These are more specific outcomes of management and/or technical activities that support the outcome of the category. LMG typically refers to the subcategories as controls.
An initial review of the framework shows that for existing function and category sections, the subcategory numbering follows that of the NIST 1.1 CSF. A closer look at the subcategories, however, shows intentional gaps in the numbering and it may feel like there is a reduced number of controls in several categories. In some cases, topics aren’t where they used to be, but that doesn’t mean they’ve been removed.
Fortunately, NIST provides a very helpful guide to the changes. It is called the Informative References and our team finds it essential. The Informative References provides detailed updates for each subcategory in both v1.1 and v2.0. It explains which subcategories have been moved to other categories or functions and which have been merged with other subcategories to reduce redundancy.
Let’s look at some examples to illustrate the different types of NIST CSF 2.0 changes:
- Topics moved and merged: The biggest example of categories and subcategories that have moved are from the Identify function to Govern.
-
- The categories that moved to Govern are Business Environment, Governance, Risk Management Strategy, and Supply Chain Risk Management. Some of the corresponding subcategories were moved as is, while others were incorporated into different subcategories to reduce redundancy. No content was removed or reduced.
- The Informative References section for the Identify function shows exactly where each subcategory moved in v2.0 and which were incorporated into other subcategories.
- Content was consolidated into fewer subcategories: This approach makes good sense for redundancy, but it can also be misleading if you think the category shrank in content. For example, let’s look at the Training and Awareness category within the Protect function.
-
- In v1.1, there were five subcategories. Each addressed training for different roles in the organization (users, privileged users, third-party stakeholders, executives, and physical and information security staff).
- In v2.0, there are now just two subcategories, giving the impression of fewer controls or less content. But if you look at the Informative References you can see no content was dropped, it is simply captured differently now.
- In 2.0, the first subcategory is about training for personnel in general. The second now speaks to “specialized roles”, with more detail provided in the Informative References to consider “such as physical and cybersecurity personnel, finance personnel, senior leadership, and anyone with access to business-critical data”.
- Content was moved and restructured: Several categories underwent multiple changes that are a little trickier to map out. We’ll use Data Security within the Protect Function to illustrate a category with multiple types of changes.
-
- In v1.1 there were eight subcategories. But with the NIST CSF v2.0 changes there are now four. But again, no content was dropped from the framework. It was just moved and restructured in a few ways.
- The Informative References are essential for mapping this out. Examining each of the previous and current subcategories, we can understand how content shifted, which allows us to restructure our assessments and policies to match.
- Two subcategories were kept but with expanded content merged from other v1.1 controls. For example, PR.DS-01 expanded from “Data-at-rest is protected” to “The confidentiality, integrity, and availability of Data-at-rest is protected”.
- Two are now in Technology Infrastructure Resilience, which is a new category within the Protect function.
- Two were incorporated into categories in other functions, where they seem to fit better and reduce redundancies overall.
- Two were merged into the remaining controls in Data Security, including the example mentioned previously in PR.DS-01.
- Then there are two new Data Security Controls, one for the protection of Data-in-use, and one that was moved from a Protect category that no longer exists: Information Protection Processes and Procedures.
This can be a lot to sort out! Our team recommends working through the categories one by one and leveraging the Informative References as a guide. If you are already using v1.1, one approach could be to start by reorganizing the content of the existing functions and categories before starting with the new ones.
Also, don’t underestimate the size of the task or the extent of the content expansion from v1.1 to v2.0. For reference, v1.1 had 22 categories with 108 subcategories and with the NIST CSF 2.0 changes, it now has 22 categories with 106 subcategories. While our team initially felt there was a similar volume of topics and content, we quickly realized there is now more content packed into a similar-sized framework through the merging and restructuring described in our examples. Be sure your project plan allows enough time to carefully work through the details of the changes!
Additional Resources:
Our team found the Informative References the best starting point for mapping the changes in v1.1 to v2.0 and getting a clear picture of where and how the content moved and merged.
We also appreciate NIST’s new “Implementation Examples”. This resource gives practical, prescriptive guidance on how the controls can be implemented to fit your organizational needs. This can be particularly beneficial for understanding consolidated subcategories and the newly introduced controls found in version 2.0.
Other new resources include quick start guides, organizational profiles, and resources tailored specifically to small businesses. The expansion of resources to support organizations in their CSF journey is a great step in making the CSF even more accessible to organizations of all sizes and in different industries.
Upgrade to NIST 2.0 and Align Your Program
Whether you are familiar with NIST CSF v1.1 and want to migrate to NIST CSF v2.0 or are in the early stages of developing a cybersecurity program, please contact us if you need help. Our team of experienced advisory consultants can reduce the burden on your team and help you to quickly leverage the updated NIST 2.0 Cybersecurity Framework.
References:
https://www.nist.gov/cyberframework