NIST Cybersecurity Framework: Evolution and Impact 2022-2024

In the ever-evolving landscape of cybersecurity, staying ahead of threats is paramount. Here, we delve into the recent major update to the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).

What is the NIST CSF?

Introduced in 2014, the NIST CSF is a flexible guidance structure for managing and mitigating cybersecurity risks. It has become a cornerstone for organizations aiming to enhance their security posture and by 2022 became a recognized global standard. The framework consists of five core outcomes: Identify, Protect, Detect, Respond, and Recover. Each offers a systematic approach to achieving a proactive and comprehensive cybersecurity risk management. For further information on the NIST CSF, readers should watch Cyber Citadel’s dedicated video released in 2022.

Evolution: from 2022 to 2024

The evolution of the NIST framework from 2022 to 2024 was driven by feedback from stakeholders, technological advancements, and emerging threats. NIST engaged with industry leaders, government agencies, and cybersecurity academics to gather insights which led to the release of NIST CSF version 2.0 in February 2024.

Key Updates in NIST CSF 2.0

Govern Function: A sixth core feature, which addresses cybersecurity risk management strategy, expectations, and policy. This emphasizes the importance of overall governance in making informed decisions on cybersecurity, crucial for senior leaders considering enterprise risk factors such as finance and reputation.

Supply Chain Risk Management: With cyberattacks increasingly targeting supply chains, the inclusion of supply chain risk management into the framework is an essential update, which bolsters resilience across interconnected operational and informational technology networks.

Expanded Scope: The framework has expanded to aid all organizations to manage risk, not just those in critical infrastructure. This provides more comprehensive coverage to industry sectors as a whole and will help to encourage communities to build collective security.

New Tools: The NIST CSF 2.0 provides new and improved tools.

1. CSF 2.0 Reference Tool – browse, search, and export data from the CSF core guidance in both human-consumable and machine-readable formats using this tool.
2. Informative Reference Mapping – view and create mappings between NIST CSF and over 50 other cybersecurity documents, enabling cross-referencing with other standards. More details here.
3. Cybersecurity & Privacy Reference Tool (CPRT) – a centralized, standardized, and modern mechanism for managing reference data sets, providing access to an interrelated set of NIST guidance documents to contextualize the NIST CSF with other popular resources. More details here.

Implementation Examples: NIST CSF 2.0 provides examples of concise, action-oriented steps to achieve the core functions of the CSF, allowing users to see how to best use the tools and information available to achieve practical outcomes.

Conclusion

The NIST Cybersecurity Framework has evolved significantly from 2022 to 2024, adapting to new challenges such as supply chain risk to stay relevant and reinforce its role as a cornerstone of cybersecurity strategy. NIST CSF version 2.0 has expanded its scope and placed greater emphasis on governance to highlight the need for an overarching strategy. New tools are available to facilitate this, along with implementation examples to understand how the CSF works in practice. As threats continue to evolve, so will the NIST CSF, ensuring organizations are able to understand, assess, prioritize, and communicate cybersecurity risks and thereby remain resilient in the face of cyber threats.

As users customize the CSF, we hope they will share their examples and successes, because that will allow us to amplify their experiences and help others. That will help organizations, sectors, and even entire nations better understand and manage their cybersecurity risk.

– Kevin Stine, chief of NIST’s Applied Cybersecurity Division