Skip Navigation

March 6, 2024 |

What's new in the NIST Cybersecurity Framework v2.0?

This blog is part of a series of posts highlighting how Field Effect's holistic cybersecurity solution can help our customers attain their compliance goals.

Whether it’s to mitigate risks, maintain a cyber insurance policy, or fulfill a contractual requirement, Field Effect knows how important it is for businesses to adhere to industry-standard compliance frameworks.

The NIST CSF v2.0 is here!

In February 2024, the National Institute of Standards and Technology (NIST) officially released version 2.0 of their Cybersecurity Framework (CSF). This new version replaces v1.1, which was released in 2018.

Six years might not seem like a long time, but we’ve seen significant changes in cybersecurity over that period.

From the evolution of ransomware and cybercrime-as-a-service to increased threats from supply chain attacks and business email compromises, the cyber landscape is more perilous than ever.

CSF v2.0 not only reflects changes to the cybersecurity landscape but implements feedback from stakeholders to stay relevant and valuable.

What’s new in CSF v2.0?

While CSF 2.0 will feel familiar to anyone who has worked with previous versions, there are some significant changes to the framework.

A simplified title

First off, it has a new name. Formerly known as the “Framework for Improving Critical Infrastructure Cybersecurity,” the new title has been shortened and simplified as “The NIST Cybersecurity Framework”.

While that might not seem like a big deal, throughout the new version and reference documents you’ll find vocabulary changes and real-world examples that make it clear that CSF 2.0 is now even more structured to aid all organizations, regardless of their size or industry, in managing and reducing cybersecurity risks.

Greater focus on governance

Another significant change in the new version is its focus on governance. CSF 2.0 has a new function, Govern, which emphasizes that cybersecurity is a significant source of enterprise risk and encourages senior leaders to consider cybersecurity alongside other risks such as finance and reputation.

This new focus will ideally foster a more comprehensive and proactive approach to managing cyber threats by business leaders and encourage them to dedicate the necessary resources to keep their information safe.

New guides and references

Lastly, there are big changes in the documentation and reference guides available for download from the NIST website.

You can find quick-start guides written for specific audiences, success stories outlining the implementation journeys of other organizations, and a searchable catalog of informative references that allow users to cross-reference the framework’s guidance to other cybersecurity documents.

These resources are designed to provide different audiences with tailored pathways that make the framework easier to implement.

How is NIST CSF 2.0 organized?

Other than the new function, Govern, mentioned above, the structure of the CSF remains largely the same.

It’s still broken down into core functions. Each function still has a set of categories and subcategories, within which are one or more security controls.

Remember, these functions are not intended to be implemented sequentially but concurrently addressed as the nature of cyber threats and the organization evolves.

  • Govern: The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.
  • Identify: The organization’s current cybersecurity risks are understood.
  • Protect: Safeguards to manage the organization’s cybersecurity risks are used.
  • Detect: Possible cybersecurity attacks and compromises are found and analyzed.
  • Respond: Actions regarding a detected cybersecurity incident are taken.
  • Recover: Assets and operations affected by a cybersecurity incident are restored.

Is NIST CSF 2.0 mandated?

NIST CSF was developed as a voluntary standard for organizations wishing to improve their cybersecurity risk management, and nothing in the new version changes that.

In most cases, it will not be mandated. However, there’s always a chance that a cyber insurance company or customer might require adherence to CSF or a similar standard to show your organization’s commitment to security and privacy.

Our thoughts on the NIST CSF

Field Effect respects the NIST CSF standard greatly, especially as it aligns closely with our company’s goal of helping organizations of all sizes improve their cyber resilience.

Both Field Effect and NIST believe in meeting organizations where they are and helping them take steps to enhance their security posture. This is particularly important for small and medium-sized businesses, which may not have the resources or expertise to develop their own cybersecurity programs from scratch.

Another reason we love the CSF framework is how approachable it is. Like the jargon-free cybersecurity reporting we provide to our customers, the CSF was written in plain language and designed to be accessible to both technical and non-technical audiences.

How can Field Effect MDR help with NIST CSF 2.0 compliance?

We've created a detailed mapping document to show how our holistic cybersecurity solution, Field Effect MDR, helps satisfy NIST CSF v2.0 requirements.

Let’s look at some examples.

Subcategory ID.RA-2

This subcategory within the Identify function instructs organizations to implement processes and procedures to ensure that “Cyber threat intelligence is received from information sharing forums and sources.”

We know that the cyber landscape is constantly evolving and that most small and medium-sized organizations don’t have the time or resources to gather and contextualize information about current and future cyberattacks.

That’s why our MDR employs industry-standard indicators of compromise (IOCs) along with our own threat intelligence to identify malicious activity, domains, botnets, ransomware, and other threats to your environment.

Subcategory PR.AT-01

Belonging to the Protect function, this subcategory calls for organizations to ensure that “Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with security risks in mind.”

When we read this, we immediately thought of our Suspicious Email Analysis Service (SEAS), which comes standard with Field Effect MDR. SEAS reduces the risk of phishing by helping users recognize social engineering attempts and providing them with a mechanism to report suspicious activity.

Subcategory DE.AE-03

Subcategory DE.AE-03 from the Detect function calls for organizations to ensure “Event data are collected and correlated from multiple sources and sensors.”

From our network sensor that conducts full packet capture and deep inspection of all network traffic, to our powerful endpoint software and cloud monitoring, our MDR provides holistic protection for organizations and networks of all sizes.

Subcategory RS.AN-3

Finally, let’s look at Subcategory RS.AN-3 of the Respond function. This control calls on organizations to ensure that “Analysis is performed to determine what has taken place during an incident and the root cause of the incident.”

At Field Effect, we know performing an in-depth analysis of cyber events takes significant time and resources, something that not all organizations have. That’s why our approach to alerts, which we call AROs, contains detailed information and insights so the impact, scope, and root cause of incidents can be easily understood.

Learn more about Field Effect MDR & NIST CSF v2.0

Reach out to our team for a copy of the NIST CSF Compliance Mapping Guide today. This document is a great starting point to help you better understand the regulatory compliance landscape. However, because every organization is different, we recommend consulting with a regulatory auditor for your specific requirements.