Microcontroller Tips

Microcontroller engineering resources, new microcontroller products and electronics engineering news

What’s new in the NIST CSF 2.0 framework?

By Leave a Comment

The NIST Cybersecurity Framework (CSF) 2.0 is the first major update since its creation in 2014. It was finalized in early 2024. This article reviews some of the important changes in CSF 2.0 compared with v1.1, briefly examines how v2.0 improves alignment with other cybersecurity standards and frameworks and compares CSF 2.0 with the ISO 27001 standard for information security management systems.

CSF 2.0 retains the five core functions of v1.1 — identify, protect, detect, respond, and recover — but adds a new governance function focused on cybersecurity governance and aligning with business objectives. Where v1.1 focused on operational cybersecurity, v2.0 added the need for continuous improvement. Compared with v1.1, discussions of supply chain management in v2.0 are more robust and detailed.

Qualitative risk assessments were the focus of v1.1. The concepts of continuous and quantitative risk assessment are added in v2.0. Finally, v1.1 included only general implementation guidelines. Detailed examples of implementations and application scenarios are included in v2.0 (Figure 1).

Figure 1. High-level comparison of NIST CSF v1.1 and v2.0. (Image: Balbix)

Governance

The new govern function added in v2.0 is the most significant change from v1.1. It embodies a shift to a more comprehensive and strategic approach to cybersecurity and impacts each of the five other core functions (Figure 2). The govern function includes establishing risk management objectives aligned with the organization’s mission, goals, and stakeholder expectations. It also supports:

  • Establishing a standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks.
  • Defining and maintaining risk appetite and tolerance statements.
  • Integrating cybersecurity into the overall organizational risk management strategy.

Alignment

CSF 2.0 has improved its alignment with several important frameworks and standards. That does not mean that it’s completely in agreement with those standards, but it’s designed to be in harmony with and supportive of them, including:

  • Center for Internet Security (CIS) controls best practices for implementing cybersecurity.
  • NIST Privacy Framework helps organizations balance the need to use personal data with privacy demands.
  • NIST Risk Management Framework (RMF) is a seven-step process that integrates cybersecurity, privacy, and supply chain risk management into the system development life cycle.
  • Payment Card Industry Data Security Standard (PCI DSS) is a set of rules and guidelines for protecting credit and debit card information.
  • Sarbanes-Oxley defines financial reporting standards and record-keeping requirements for public corporations.
  • ISO 27001 is an international standard that provides a framework for defining, implementing, operating, and improving an Information Security Management System (ISMS) to protect information assets.
Figure 2. The new govern function in CSF 2.0 impacts all five legacy functions in v1.1. (Image: Coretelligent)

NIST CSF vs. ISO 27001

NIST CSF 2.0 and ISO 27001 focus on protecting an organization’s data and reducing the risk of cybersecurity threats. Some of the important differences between the two include (Figure 2):

  • NIST CSF 2.0 is a guide, while ISO 27001 is a compliance standard.
  • There is no certification process for NIST CSF 2.0, while certifications to ISO 27001 require a formal audit report.
  • NIST CSF 2.0 is designed to help organizations in the initial stages of developing a security framework. In contrast, ISO 27001 is designed for use by organizations with more serious security risks and more mature security frameworks.
  • NIST CSF 2.0 is available for free download, but costs are associated with implementing ISO 27001.

It’s sometimes recommended that organizations implement both NIST CSF 2.0 and ISO 27001. Although the two overlap greatly, they are not identical. Compliance with one does not ensure compliance with the other. A security program that integrates the requirements of both NIST CSF 2.0 and ISO 27001 provides a stronger cybersecurity environment than using only one or the other.

Figure 3. Key differences between NIST CSF 2.0 and ISO 27001. (Image: Vanta)

Summary

NIST CSF 2.0 includes many new features, including increased emphasis on quantitative analysis, deeper integration of supply chain management, and implementation details and application scenarios. The new govern function shifts the cybersecurity paradigm toward a more strategic focus, and the alignment of v2.0 with numerous other cybersecurity frameworks and standards deepens the CSF’s utility for security professionals.

References

Cybersecurity framework, NIST
Cybersecurity Framework v2.0, CSF Tools
Introducing the new NIST CSF 2.0, Scrut Automation
NIST CSF vs. ISO 27001: What’s the difference?, Vanta
NIST Releases Version 2.0 of Landmark Cybersecurity Framework, NIST
Understanding the Updated NIST Cybersecurity Framework (CSF): A Guide for Businesses, Coretelligent
What is the NIST Cybersecurity (CSF) 2.0 Framework?, Balbix

Related WTWH links

Security standards and MCUs
Tools help developers implement security standards for embedded designs
Securing devices for the IoT — IEC 62443, SESIP, and PSA
The basics of Wi-Fi security and encryption
Edge computing security: Challenges and techniques

You may also like:

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *