Douglas Needham

July 25, 2024

10 min read

NIST Cybersecurity Framework: Understanding and Implementing Version 2.0

The NIST Cybersecurity Framework (NIST CSF), particularly its latest version 2.0, serves as a useful foundation for managing and reducing cyber risks. Since the latest updates, the framework incorporates modern security practices and emphasizes the importance of governance, making it more relevant than ever for organizations striving to protect their assets and operations.

This article examines the NIST CSF and explores its key components, with a special focus on its latest version, 2.0. It also outlines best practices for implementing the NIST CSF and highlights how the Squalify platform integrates this framework to help companies develop and implement effective cybersecurity improvement programs.

Key Takeaways

  • The NIST Cybersecurity Framework (CSF) is a tool for organizations to manage and reduce cybersecurity risks.
  • The latest updates in the NIST Cybersecurity Framework (NIST CSF Version 2.0) include the addition of the “Govern” function, emphasizing the importance of organizational governance in cybersecurity.
  • The six core functions of the NIST CSF (Identify, Protect, Detect, Respond, Recover, and Govern) provide a comprehensive approach to building and improving cybersecurity improvement programs.
  • The Squalify platform effectively integrates the NIST CSF outcomes to enhance cyber risk quantification and management. It provides organizations with a standardized and proven method for information security assessment, which can be used for benchmarking and planning improvements in cybersecurity.

NIST Cybersecurity Framework Overview

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework (NIST CSF) is a collection of guidelines, best practices, and standards created by the National Institute of Standards and Technology (NIST) to assist organizations in managing and reducing cybersecurity risks. It provides a consistent method and language for addressing cybersecurity risk. It offers a great starting point for organizations to build a robust security framework.

Initially introduced in 2014, the NIST CSF has become a widely accepted standard for handling cyber risk worldwide. It is designed to offer a flexible and effective approach that can be tailored by organizations of all sizes, industries, and levels of maturity. This framework is particularly important for US companies and those doing business with the US government due to its frequent reference in regulations and government contracts.

In 2024, NIST launched version 2.0 of the framework, which features updated guidance and practices to tackle the changing threat landscape and technological advancements. This version also introduced a sixth function, “Govern,” highlighting the significance of organizational governance in cybersecurity, not just technical controls.

Why the NIST CSF Matters to Modern Organizations

The NIST Cybersecurity Framework offers many benefits for organizations seeking to improve their cybersecurity defenses. Here are some key reasons why the NIST CSF is important:

  1. The NIST CSF addresses all critical aspects of cyber risk management, taking a comprehensive approach to managing risks.
  2. It is designed to be adaptable, allowing organizations to customize the NIST framework to their specific needs and maturity levels.
  3. Although the NIST CSF is especially relevant for US organizations, it is also recognized and utilized globally.
  4. The NIST Cybersecurity Framework (CSF) is a freely accessible, transparent, and open standard. It simplifies compliance with a range of cybersecurity and data privacy regulations, thereby facilitating adherence to legal mandates for effectively managing cyber risks.
  5. The National Institute of Standards and Technology (NIST) offers a range of resources and guidance, such as the NIST Cybersecurity Framework Guide for Small Businesses, to make the NIST CSF accessible to organizations with limited resources.

Key Components of the NIST Cybersecurity Framework

The NIST Cybersecurity Framework consists of three main components: the Core outcomes, which define the requirements, Organizational Profiles, which put these outcomes in context of specific industries and technologies, and Tiers, which provide a means to assess the maturity of implementation of outcomes. By understanding and using these components, you can effectively implement the NIST Cybersecurity Framework to improve your organization’s cybersecurity posture and resilience.

The NIST Cybersecurity Framework 2.0 core functionalities.
The NIST Cybersecurity Framework 2.0 core functionalities.

Core Functions of the NIST CSF

The Core provides a set of desired cybersecurity outcomes organized into six functions:

  • Govern: Oversee and guide the entire cybersecurity program, including strategy, roles, and risk assessments (introduced in version 2.0).
  • Identify: Understand and manage cybersecurity risks to systems, data, and capabilities.
  • Protect: Implement safeguards to ensure the delivery of critical services.
  • Detect: Develop mechanisms to identify cybersecurity incidents.
  • Respond: Plan actions to deal with detected cybersecurity events.
  • Recover: Build resilience and restore services impacted by cybersecurity incidents.

Each function includes categories and subcategories that detail the different aspects of cybersecurity management.

NIST Cybersecurity Framework Profiles

A “Profile” in the context of the NIST CSF is a document which clarifies how functions, categories, and subcategories of the framework are applied within an organization. Customizing a profile within NIST helps align your cybersecurity practices with specific business goals and requirements. Profiles can be especially useful when communicating with stakeholders about your cybersecurity efforts and progress.

Community Profiles can also be created which document how the framework can be applied to specific communities of interest. These communities may be for specific technologies or industries. Examples of Community Profiles are listed on the NIST website.

Cybersecurity Maturity Tiers

NIST CSF uses tiers to communicate cybersecurity maturity. These tiers range from Tier 1 (Partial) to Tier 4 (Adaptive), representing different levels of rigor and consistency in your cybersecurity practices:

  • Tier 1 (Partial): Informal, ad-hoc cybersecurity practices.
  • Tier 2 (Risk Informed): Some formal cybersecurity practices, but not consistently applied.
  • Tier 3 (Repeatable): Formal, consistent cybersecurity practices with some improvement processes.
  • Tier 4 (Adaptive): Advanced, adaptive cybersecurity practices with continuous improvement and optimization.

Assessing your current tiers and aspirational target tiers helps identify areas for improvement and guides the development of a more mature cybersecurity program.

NIST CSF Core Functions in Detail

In the past, the NIST Cybersecurity Framework defined five core functions to help organizations manage and minimize cybersecurity risks. Each function included specific actions and best practices to achieve important cybersecurity goals. In the updated version 2.0, they included “Govern” as a sixth component, in addition to the existing core functions.

Govern

The Govern function oversees and guides the entire cybersecurity program, ensuring that all activities align with your organization’s strategic goals and regulatory requirements. This function, introduced in version 2.0 of the NIST Cybersecurity Framework, emphasizes the importance of governance in effectively managing cybersecurity risks. Key activities include:

  • Developing a comprehensive cybersecurity strategy that outlines the approach to managing cybersecurity risks.
  • Clearly assigning and documenting the roles and responsibilities of individuals involved in the cybersecurity program.
  • Regularly evaluating cybersecurity risks to understand potential impacts and prioritize mitigation efforts.
  • Creating and maintaining policies that govern cybersecurity practices and ensure compliance with relevant regulations.
  • Implementing mechanisms to monitor the effectiveness of the cybersecurity program and making adjustments as needed.
  • Ensuring cybersecurity risks related to the organization’s supply chain are managed.

By implementing the Governance function, your organization can ensure that your cybersecurity efforts are strategically aligned and well-coordinated. This function helps in maintaining accountability, enhancing transparency, and fostering a culture of continuous improvement in cybersecurity management.

Identify

The Identify function helps you understand the context of your business and manage cybersecurity risk. It involves developing a detailed understanding of how to manage cybersecurity risks to systems, assets, data, and capabilities. Key activities include:

  • Creating asset inventories;
  • Conducting vulnerability, threat, and risk assessments;
  • Ensuring the organization learns from evaluations, tests and other exercises and makes improvements.

Protect

The Protect function focuses on implementing safeguards to ensure the delivery of critical services. You apply measures to limit or contain the impact of potential cybersecurity events. Key activities include:

  • Establishing measures to manage identities, authentication and access;
  • Training and awareness programs;
  • Protecting data at rest, in transit, in use and in backups;
  • Ensuring technology platforms and infrastructure are built, configured, and operated securely and with resilience.

Detect

The Detect function pertains to discovering cybersecurity events in a timely manner. This involves continuous monitoring and detecting anomalies and events that may compromise cybersecurity. Key activities include:

  • Continuous security monitoring of networks, and user activity;
  • Analyzing detected events to identify when incidents have occurred.

Respond

The Respond function outlines how to manage and mitigate cybersecurity incidents. It ensures that you have a strategy in place to address the detected cybersecurity events promptly and effectively. Key activities include:

  • Developing and implementing incident response plans;
  • Communication protocols during and after an incident;
  • Analyzing the response to improve future responses.

Effectively applying the Respond function helps you limit the impact of cybersecurity incidents, allowing faster recovery and continuity of operations.

Recover

The Recover function deals with restoring any services that were impaired due to a cybersecurity incident. It emphasizes maintaining resilience plans and restoring capabilities or services. Key activities include:

  • Developing and implementing recovery plans
  • Coordinating recovery efforts with stakeholders
  • Reviewing and updating recovery strategies based on past incidents

Focusing on the Recover function ensures that your organization can quickly return to normal operations and minimize downtime and disruption following a cybersecurity event.

Information Security Assessment: How We Use the NIST Cybersecurity Framework in the Squalify Platform

Information Security Maturity

At Squalify, we have integrated the NIST Cybersecurity Framework (CSF) into our approach to assessing information security. Our platform allows you to input your security maturity for each control level (also known as subcategories) to determine the maturity level for each security control. Already done a maturity assessment using the NIST Tiers? We can easily map it to our internal maturity levels.

Snapshot of the Information Security Controls Data Entry on the Squalify Platform.

When quantifying your organization’s information security risk with Squalify, you have two options: either determine the maturity level for all security controls or solely focus on the top 28 controls for a quicker assessment.

The top 28 is a focused subset of NIST controls that, based on Squalify expert analysis and historical loss data, are key to managing cyber risk. These controls contribute the majority of the overall maturity score. The top 28 are ideal for conducting cyber risk assessments within a shorter time while achieving sufficient output quality.

We chose the NIST CSF because it’s a globally recognized standard that ensures transparency and a common language for all users. Our adoption of the NIST CSF allows you to easily and quickly re-use existing security maturity assessments if you’ve already conducted one using the NIST framework. Additionally, it makes it easier to align with other quantification frameworks as the NIST CSF is widely mapped, and we have experience in mapping other control frameworks to the NIST CSF.

Simulate Maturity Improvement

The NIST CSF is also integrated into Squalify’s simulation features. Want to see the impact of how improving the maturity of certain NIST control categories will reduce the potential financial losses? Use a simulation to quickly get an answer.

Snapshot of the Modelled Large Loss Simulation for Data Privacy Breach.

Group Cybersecurity Steering

For CISOs responsible for cybersecurity across a large group of companies and subsidiaries, the maturity assessment within the Squalify platform using NIST CSF can be compared across different subsidiaries to monitor performance and identify areas for improvement. Through the Squalify dashboards, CISOs can quickly review maturity trends and prioritize subsidiaries for further attention.

Final Words

The NIST Cybersecurity Framework (NIST CSF) is an invaluable tool for organizations aiming to strengthen their cybersecurity posture. With the release of version 2.0, the framework has become even more relevant, incorporating modern security practices and emphasizing the importance of governance. This comprehensive and flexible framework is suitable for a wide range of sectors and maturity levels, making it a critical asset for any organization looking to manage and reduce cyber risks effectively.

By adopting the NIST CSF, you can improve your security practices, ensure regulatory compliance, and build trust with stakeholders. The framework’s structured approach provides a clear path to enhancing cybersecurity resilience and mitigating threats.

The Squalify platform leverages the NIST CSF to provide robust cyber risk quantification and management results. Squalify’s ability to assess security maturity makes the platform an essential tool for organizations committed to maintaining a strong cybersecurity posture.

Frequently Asked Questions (FAQs) for the NIST Cybersecurity Framework

What is the NIST Cybersecurity Framework (NIST CSF)?
Icon
What are the key updates in NIST CSF version 2.0?
Icon
How does the Squalify platform integrate the NIST Cybersecurity Framework?
Icon
How does the NIST Cybersecurity Framework help with regulatory compliance?
Icon

About

Douglas Needham

Douglas Needham is passionate about demystifying the complex world of information security, replacing jargon with plain language, and seeing the positive in the frequently all too cynical world of cyber security. He currently leads the delivery of cyber risk quantification at Squalify, supporting senior security and risk stakeholders with adopting quantification and using the results to inform their business decision making. Doug’s background includes over 15 years experience across secure system design, incident response, audit, GRC, consulting, and information security leadership in large corporate, scale-up, and start-up businesses including Allianz Insurance, EDF and Klarna.

More Insights
See all posts