NIST 2.0 as a Framework for All

By Utsav Adhikari, of Logpoint

Originally developed for federal use, the National Institute for Standards and Technology (NIST) Cybersecurity Framework (CSF) has been widely adopted across the world (and translated into numerous languages) by organisations to mitigate information security and organisational risk. It lends itself to a variety of risk assessments by helping to identify and prioritise risk. It is typically used for risk profiling, measuring cyber maturity and developing cybersecurity improvement programmes. In fact, it’s proven so popular that when it came to revising the standard a decade after its inception, NIST decided to make it applicable to anyone involved in managing risk to help guide their cybersecurity decision making.

NIST 2.0 was launched at the end of February 2024 with a remit to help organisations “of all sizes and sectors” to manage cybersecurity risk, reflecting the ubiquitous nature of cyber threats and the potential impact they can have on any business, even those not traditionally considered ‘critical’. It’s a recognition of the fact that the framework is now widely applicable due to the vastly different digital ecosystem and threat landscape compared to ten years ago.

A decade has led to a different world

Organisations are now much more interconnected, often relying on third-party vendors and cloud-based services. A breach in one system, potentially manipulated through adversarial changes, impacts an organisation’s partners and its customers. This makes supply chain risk a key concern. Gartner predicts that by next year, 60% of supply chain organisations will use cybersecurity risk as a key determinant when conducting transactions and business engagements, revealing that such frameworks are likely to become indispensable.

We also now collect, store, and process vast amounts of data, including sensitive customer information, financial records, and intellectual property (IP). This data represents valuable assets that cybercriminals actively target. So, businesses are wholly reliant upon and need to defend their digital assets and that means identifying and prioritising the risks they face to ensure confidentiality, integrity and availability (CIA).

Moreover, cyberattacks are constantly becoming more sophisticated, targeting not just specific sectors, but exploiting any weaknesses they can find. From ransomware attacks disrupting operations to data breaches exposed through manipulated systems, the threat landscape is constantly evolving with adversarial changes adding another layer of complexity. Defending against everything is not an option and the only way the organisation can hope to mitigate these threats is through recognition and prioritisation of the risks they face.

How NIST 2.0 has been improved

NIST 2.0 has been streamlined and reorganised for improved usability with clear instructions and easy-to-follow steps, making it accessible to a wider audience.

It can be adapted to the organisation, making it suitable for organisations with differing levels of maturity, appetites and tolerances, and is outcome-based with those outcomes then mapped to security controls for consideration to mitigate risk. Importantly, it’s not prescriptive in nature but focuses purely on what desirable outcomes are. This flexible approach focused on high-level outcomes instead of prescriptive solutions sends a clear message to the security practitioners globally – tailor the policies, controls and procedures to the specific outcomes that are relevant for your organisational context.

The new version retains the five core functions of the original ie identify, protect, detect, respond and recover. ‘Identify’ catalogues the assets of the organisation and related cybersecurity risks and ‘Protect’ the safeguards and measures that can be taken to protect those assets. ‘Detect’ focuses on the means the organisation has to find and analyse anomalies, indicators of compromise and events, and ‘Respond’ the process that then happens when a threat is detected. Finally, ‘Recover’ looks at the capability of the organisation to restore and resume normal operations. However, under NIST 2.0 there is now a sixth function: ‘Govern’.

‘Govern’ is an overarching function that encompasses the other five and determines that the cybersecurity risk management strategy, expectations and policy are established, communicated, and monitored. It also speaks to the use of the framework in a private sector context because it recognises the need to incorporate cybersecurity into the Enterprise Risk Management (ERM) strategy. Whereas the other five functions can be broadly regarded as very practical in nature, Govern fulfils the management part of the puzzle and the need to communicate risk effectively.

Each function then has categories of outcomes, which are broken down into greater detail in related subcategories. For example, categories under the new ‘Govern’ function include: organisational context; risk management strategy; roles, responsibilities and authorities; policy; oversight; and cybersecurity supply chain risk management. These have their own subcategories. For instance, under ‘Oversight’ there are three subcategories determining that risk management strategies are reviewed, adjusted and evaluated.

Making the CSF work

However, as the CSF itself is non-prescriptive, organisations will need to turn to the accompanying resources for guidance on implementation. The Quick Start Guides can help to kick things off and include advice on how to use the tiering from levels 1-4 to assess cyber maturity and how to use these as the basis for Current and Target risk profiles. But when it comes to how to practically achieve the outcomes, the organisation will need to refer to  the Informative References in the Resource Centre. These map the CSF to the categories and subcategories and give those all-important implementation examples.

For example, under ‘Detect’, and the category ‘Adverse Event Analysis’, the subcategories specifically refer to the use of a Security Incident and Event Management (SIEM) platform. It is proposed that the technology can be used to continuously monitor log events for known malicious activity, to collect and correlate information from multiple sources, and to estimate impact and scope and review and refine estimates.

Combining the SIEM with other technologies, such as Security Orchestration Automation Response (SOAR), can also assist with the implementation of the ‘Respond’ function by enabling accelerated, coordinated, and effective responses to detected security incidents, while effective log management also enables the organisation to leverage the ‘Recover’ function by making it easier to gather evidence of an occurrence.

In these respects, the new CSF proves an invaluable resource for those involved with cybersecurity risk management whether they are leading and reporting on or developing and implementing cybersecurity initiatives. It is flexible enough to be applied to any organisation, irrespective of size or industry, and through its outcome-based approach, can document and elevate risk management within the organisation. Moreover, the additional resources help provide guidance on how to achieve those outcomes via processes and controls, turning theory into reality.

Utsav Adhikari focuses on building security products to solve complex compliance, TDIR, and riskUtsav Adhikari management challenges of security practitioners. He has a particular focus and expertise working with the SMBs in the EU region. Utsav has more than 8 years of experience building data-driven solutions and has worked in cybersecurity for 6 years. Currently, Utsav works for Logpoint as a Senior Product Manager.