NIST Cybersecurity Framework v2
In early 2024, the National Institute of Standards and Technology (NIST) unveiled a major overhaul to their flagship cybersecurity framework. This overhaul brought the NIST Cybersecurity Framework (CSF) out of the critical infrastructure world and into a more broad utilization that was applicable to the overwhelming majority of the cyber landscape. As a result, the specific provisions have been largely refactored to better align to the new major categories(“NIST Releases Version 2.0 of Landmark Cybersecurity Framework,” 2024).
Most notably, the governance category has been added. This resulted in remapping of provisions from most other categories. Approximately half of the Identify category was rolled into the Govern category with a realignment of provisions from all other categories performed to refill the Identify category (Yip, 2024). This is expected to allow for an improved implementation of the National Cybersecurity Strategy (National Cybersecurity Strategy, 2023).
The main deliverable achieved in the NIST CSF 2.0 is the NIST Cybersecurity Framework 2.0 Reference Tool. This allows a standard user to view and export information from the Core module of the CSF 2.0. The user can retrieve this data in easily parsible JSON or CSV file formats This augments the improved catalog with the ability to easily map controls to their requirements.
Overall, version 2.0 appears to primarily build on the original 1.0 without subtracting anything from the previous version. As it appears to merely reorganize and enhance previous guidance, there appear to be minimal negative viewpoints regarding this change. The addition of the Govern framework category allows for an increased visibility on privacy-related actions and controls. As the overall risk profile is contextualized with specific policies from the organization, privacy outcomes can be prioritized based on the governance requirements.
Expanding the scope from critical infrastructure to general cybersecurity improves the ability of NIST Cybersecurity Framework to provide privacy guidance. As critical infrastructure tends to have less privacy data processing events, less attention would likely be spent on ensuring privacy controls are being adequately performed. Additionally, the CSF now references the NIST Privacy Framework and the NIST Privacy Risk Assessment Methodology. The CSF also includes a diagram showing the relationship of cybersecurity risks and privacy risks to further reinforce the relationship (National Institute of Standards and Technology, 2024).
Overall, the additions to the NIST Cybersecurity Framework have a positive impact on the ability of an organization to conduct privacy control-related activities. By expanding the scope of the CSF to include all aspects of cybersecurity, NIST has increased accessibility beyond just critical infrastructure. By remapping controls and including a new reference tool, NIST has ensured that the modern framework is applicable to problems faced by both cybersecurity and privacy experts.
References:
National Cybersecurity Strategy. (2023). https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf
National Institute of Standards and Technology. (2024). The NIST Cybersecurity Framework (CSF) 2.0 (NIST CSWP 29; p. NIST CSWP 29). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.CSWP.29
NIST Releases Version 2.0 of Landmark Cybersecurity Framework. (2024). NIST. https://www.nist.gov/news-events/news/2024/02/nist-releases-version-20-landmark-cybersecurity-framework
Yip, I. (2024, August). NIST CSF 1.1 and 2.0 Comparison. https://assets-global.website-files.com/624f7f7a4defc1e88a97f566/64dc15021b62dc3a965b7f07_NIST%20CSF%201.1%20and%202.0%20DRAFT%20Comparison.pdf
Member discussion