NIST Releases Cybersecurity Framework 2.0 — February 26, 2024
NIST updated its flagship Cybersecurity Framework with a new Govern function, expanded supply-chain guidance, and implementation resources for organisations of all sizes.
Executive briefing: On the National Institute of Standards and Technology (NIST) published Version 2.0 of the Cybersecurity Framework (CSF), the first major revision since 2014. CSF 2.0 introduces a new Govern function, expands supply-chain and third-party risk coverage, and provides implementation profiles and quick-start guides tailored to small and medium-sized entities.
Key updates
- Govern function. Establishes outcomes for cyber risk strategy, policy, roles, and oversight to ensure executive accountability.
- Supply-chain emphasis. Reinforces risk management expectations for suppliers and technology providers, aligning with recent federal directives.
- Implementation resources. Adds CSF 2.0 Reference Tool, Informative References, and Community Profiles to accelerate adoption across sectors.
Control alignment guidance
- CSF 2.0 Profiles. Map existing security programmes to the new functions and categories, identifying gaps in governance, incident response, and supply-chain management.
- NICE Workforce Framework. Use CSF outcomes to prioritise workforce development initiatives aligned with the Govern and Protect functions.
- ISO/IEC 27001 integration. Update control crosswalks to reflect revised CSF categories and informative references.
Operational recommendations
- Refresh board reporting to incorporate the Govern function outcomes and demonstrate accountability for cyber risk strategy.
- Reassess supplier onboarding and monitoring processes against the updated supply-chain outcomes.
- Leverage NIST’s implementation examples and quick-start guides to tailor CSF 2.0 adoption for business units with varying maturity.