NIST recently released a list of potential changes to their widely accepted Cybersecurity Framework (CSF). Responding to industry requests on relevant issues, version 2.0 favors international collaboration, extended industries, and one entirely new Function. Review the updates – and their implications for your business – before they go live.

The National Institute of Science and Technology (NIST) is on the cusp of releasing the second version of their Cybersecurity Standards, and they’re looking to stay relevant. To keep pace with the current threat landscape, they’ve taken industry suggestions and incorporated them into what will be a draft by this summer and a final version by 2024. It’s not more of the same; the CSF 2.0 will broaden its focus, increase accountability, and look to become – like everything else – more global for the years ahead.

What are the changes?

The original NIST Cybersecurity Framework (CSF) is a set of guidelines developed to mitigate organizational security risks and includes best practices to identify and protect assets, detect and respond to threats, and recover from incidents.

This new version, once crafted, will consider the following changes:

  • Expanded guidance on how to implement it
  • An emphasis on governance
  • An emphasis on supply chain risk management
  • Increased understanding of measurement and assessment

Also, version 2.0 notably expands the reach of the framework beyond critical national infrastructure (CNI) to small businesses and institutions of higher learning. It also names “international collaboration and engagement” as an ‘important theme’ for this newest update.

Why do they matter?

In an effort to stay abreast of the current security challenges, NIST issued a request for information last February. Specifically, they were “seeking information about the use, adequacy, and timeliness of the CSF – and the degree to which other NIST resources (e.g., the Privacy Framework, Risk Management Framework, Secure Software Development Framework, and NICE Workforce Framework) are used in conjunction with, or instead of, the CSF.”

What they got was a lot of positive feedback surrounding the trusted-and-true framework and some relevant updates for the years ahead. “The CSF has been adopted voluntarily and in governmental policies and mandates at all levels around the world, reflecting its enduring and flexible nature to transcend risks, sectors, technologies, and national borders,” the paper reads. To that end, and to continue its usefulness in those arenas, “The ‘Cybersecurity Framework 2.0’ version reflects the evolving cybersecurity landscape — but community needs will drive the extent and content of the changes.”

These changes matter because NIST is responsible for creating the cybersecurity standards and practices in use by the US federal government and, as they state, voluntarily in use by organizations around the world. Many vendor security products are built to comply with NIST frameworks, and billions of dollars of federal funding go into ensuring their research, reliability and relevance is the best in the industry. Outdated NIST policies mean much of the world’s security will be out-of-date.

How do they impact you?

Looking ahead, one of the most significant changes is the addition of the new ‘Governance’ Function. Adding on to the original “identify, protect, detect, respond, recover” is now “govern,” and the implications are large.

This ‘new crosscutting Function’ will not only highlight how important governance is to reducing risk but may also include the following:

  • Determining priorities and risk tolerances
  • Assessing risks and impacts
  • Establishing policies and procedures
  • Understanding cybersecurity roles and responsibilities

This plays largely into the compliance and auditing side and reinforces its value as an increasingly important security pillar in the years ahead. As new data privacy laws pop up, staying safe means being able to foster innovation without stepping outside of the legal lines. CISOs are now seen more as business drivers than ‘security guys,’ and they consequently face expanding responsibilities.

Staying compliant is a key factor to determining success in the digital landscape ahead, and those corporations that are cleared to operate abroad (or even in other states or with other industries) will be the ones who are above board in terms of data privacy regulations. More and more, compliance means competitiveness, and the new NIST standards will be the new benchmark against which organizations will have to measure both.

Why ITEGRITI for NIST CSF 2.0 compliance

ITEGRITI is a cybersecurity consulting firm that works extensively with CNI sectors like water, power, oil and gas, and healthcare. We know what it takes to get existing security architecture up to the level of NIST Cybersecurity Framework adherence, and we can do it again for NIST CSF 2.0. We understand the competitive nature of government contracts and how to get our clients up to speed so that they’re never held back by security deficits, especially when it comes to auditing and compliance. Save

We were there when NIST proposed new guidelines for liquid natural gas, and we keep ahead of the latest CISA security infrastructure so our clients have the latest, most relevant industry requirements in their sights – and in their stacks. Take advantage of our Managed Services as we help you Get Stuff Done and stay compliant with the upcoming NIST framework.

ITEGRITI has deep experience across critical infrastructure cybersecurity programs, compliance, risk, and audit.  Contact us today to learn how we can leverage this experience to help you accomplish your cybersecurity goals.

Contact Us:

ITEGRITI Services: