What is NIST CSF 2.0?

Released on Feb 26, 2024, the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) 2.0 is an updated version of the original NIST CSF, and is designed to help organizations manage and mitigate cybersecurity risks. The 2.0 update expands the scope and applicability of the framework to cover more types of organizations and industries, including the private sector, government and nonprofits.

NIST CSF 2.0 provides a structured approach to identifying, protecting, detecting, responding to and recovering from cyber threats. It builds upon the original framework by incorporating new features, methodologies and recommendations that address the evolving cybersecurity landscape. It also introduces enhancements over its predecessor, including greater flexibility, a broader scope and better integration with global standards. A new “govern” function has been introduced in the updated version that focuses on aligning cybersecurity practices with organizational goals and risk management.

The NIST CSF 2.0 framework is widely adopted across various industries, particularly in the United States, to improve the resilience of critical infrastructure against cyber threats. Its guidance can be customized to meet the specific needs of different organizations, regardless of size or sector.

What is compliance with NIST CSF 2.0?

Compliance with the NIST CSF 2.0 involves adhering to updated guidelines to manage and reduce cybersecurity risk. The updates in 2.0 organize cybersecurity efforts into six core functions that provide a comprehensive strategy for organizations to prioritize their cybersecurity activities and align them with business goals and regulatory requirements:

1. Govern: Understand organizational strategy and policy

This new addition in version 2.0 of the CSF emphasizes the importance of establishing and maintaining governance structures to align cybersecurity efforts with the organization’s mission and risk tolerance. It includes defining roles, responsibilities and policies to guide decision-making. Best practice identity security frameworks can help achieve these goals.

2. Identify: Map organizational assets and risks

Develop an understanding of the cybersecurity risks to systems, assets, data and capabilities. It includes asset management, business environment understanding, governance and risk assessment to prioritize efforts.

3. Protect: Secure risky assets

Implement safeguards across hybrid and multi-cloud environments to ensure the delivery of critical infrastructure services. This includes access control, awareness and training, data security and maintenance processes that mitigate the impact of potential incidents. Several identity security best practices can help here, such as implementation of least privilege access or the emerging strategy of providing access with zero standing privileges.

4. Detect: Find and analyze attacks

Identify the occurrence of cybersecurity events in a timely manner. It includes continuous monitoring, anomaly detection and other activities that ensure threats are identified early to minimize damage. Centralized audit and identity threat detection and response (ITDR) capabilities should be applied consistently across all sessions.

5. Respond: Act upon and contain attacks

After detecting a cybersecurity incident, develop and implement appropriate steps to contain the impact of an incident such as planning, communications, analysis, mitigation and improvement.

6. Recover: Restore affected assets

Maintain plans for resilience and restoring any capabilities or services that were impaired due to a cybersecurity event, including recovery planning, improvements and communication with stakeholders during and after recovery efforts. Of note for identity security programs, privileged access management controls can also assist recovery efforts by rotating credentials to terminate attacker sessions and regain organizational control.

Identity security and the NIST CSF 2.0 framework

Identity security is integral to compliance with NIST CSF 2.0, particularly in the framework’s “Protect” and “Detect” functions. As the framework evolves to address the complexities of modern cybersecurity threats, securing identities—both human and non-human—becomes paramount. Implementing identity security measures like privileged access management (PAM), multi-factor authentication (MFA) and continuous monitoring helps organizations protect against unauthorized access, insider threats and potential breaches. These measures ensure that only authorized identities can access sensitive systems and data, which is a cornerstone of NIST CSF 2.0 compliance.

Identity Security Requirements of the NIST CSF 2.0 Framework

Function	Function Category	Supported Subcategories (selected)
Govern	GV.RM: Risk Management	GV.RM.06: Establish risk management objectives with stakeholders.
	GV.SC: Supply Chain Risk	GV.SC-09: Integrate supply chain security practices in risk programs.
Identify	ID.RA: Risk Assessment	ID.RA-03: Identify and record internal and external threats.
Protect	PR.AA: Identity Management, Authentication and Access Control	PR.AA-01: Manage identities and credentials for authorized users, services and hardware. PR.AA-02: Proof identities and bind to credentials based on context. PR.AA-03: Authenticate users, services and hardware. PR-AA-05: Implement least privilege and separation of duties.
	PR.AT: Awareness & Training	PR.AT-01 / 02: Awareness training for general & specialized users.
	PR.PS: Platform Security	PR.PS-04: Generate log records for continuous monitoring. PR.PS-05: Prevent installation/execution of unauthorized software. PR.PS-06: Integrate secure software development processes.
	PR.IR: Tech Infrastructure Resilience	PR.IR-01: Protect network & environments from unauthorized access.
Detect	DE.CM: Continuous Monitoring	DE.CM-03: Monitor personnel activity to find adverse events. DE.CM-06: Monitor external service provider activity to find adverse events.
	DE.AE: Adverse Event Analysis	DE.AE-03: Information is correlated from multiple sources.
Respond	RS.MA: Incident Management	RS.MA-01: Execute incident response plan with relevant third parties.
	RS.MI: Incident Mitigation	RS.MI-01 / 02: Incidents are contained & eradicated.
Recover	RC.RP: Incident Recovery Plan Execution	RC.RP-01: Execute incident response plan. RC.RP-05: Verify integrity of restored systems and services.

 

NIST CSF 2.0 use cases

NIST CSF 2.0 is applicable across different sectors, helping organizations of all sizes and industries to strengthen their cybersecurity defenses, manage risks and ensure regulatory compliance.

Critical infrastructure protection: Organizations managing critical infrastructure, such as energy, water, and transportation systems, use NIST CSF 2.0 to identify vulnerabilities, protect against threats and ensure the continuity of essential services.

Regulatory compliance: The framework provides a structured approach to demonstrate compliance with industry-specific regulatory requirements, such as those in finance (e.g., GLBA, SOX) and healthcare (e.g., HIPAA). and standards.

Small and medium-sized enterprises (SMEs): The framework’s flexibility allows smaller organizations to implement cybersecurity measures that align with their resources and risk levels.

Incident response and recovery: NIST CSF 2.0’s emphasis on detection, response and recovery functions makes it a valuable tool for organizations seeking to improve incident response plans and recover more effectively from cybersecurity incidents.

Learn more about NIST CSF 2.0

• Addressing the NIST CyberSecurity Framework 2.0 With Identity Security
• How to Align Your Security Strategy with NIST Cybersecurity Framework 2.0
• Prepare for a New NIST Era Webinar