Understanding NIST Cybersecurity Framework 2.0

April 2, 2024
This article delves into the key enhancements of CSF 2.0 and explores its implications for organizations across the spectrum, with a particular focus on the public sector and state and local governments.

The National Institute of Standards and Technology (NIST) has released its updated Cybersecurity Framework 2.0 (CSF 2.0), a comprehensive overhaul designed to address the multifaceted challenges of modern cybersecurity.

This article delves into the key enhancements of CSF 2.0 and explores its implications for organizations across the spectrum, with a particular focus on the public sector and state and local governments.

Governance Takes the Helm

CSF 2.0 adds a new overarching governance function, emphasizing that cybersecurity is a major source of enterprise risk and should be a key consideration for senior leadership. This is particularly important because governance is the cornerstone of any well-planned and orchestrated cybersecurity program, and it’s great to see NIST acknowledge the value of a governance function.

One of the most challenging decisions a CISO faces is determining the optimal allocation of resources to lower security risks to a tolerable degree. This involves answering the questions, “What level of security is sufficient?” and “How do I maximize the return on my security investment?”

The new CSF Govern function will help CISOs identify where their organization is from a cyber maturity standpoint and determine where they need to be based on the risk exposure their organization faces and its tolerance for risk.

The Govern function facilitates the necessary discussions among leadership, managers and practitioners about organizational risk, cybersecurity priorities, plans and investments to close identified gaps.

The goal is to create a defensible cybersecurity plan that can be defended legally, technically and operationally by justifying security measures and decisions while ensuring preparedness and a responsible plan for executing and managing actions in the event of a cyber incident or breach.

The 2.0 framework has also been extended to support supply chain security, which is increasingly critical due to global supply chains’ ever-growing complexity and interconnectedness. By focusing on supply chain risks, the framework can prevent disruptions, protect sensitive information and ensure continuity of operations, which will enhance overall national and economic security. 

Other significant updates include expanded applicability from CSF 1.0’s focus on critical infrastructure providers to all types of organizations, both public and private; a simplified and streamlined approach for easier use and adoption by smaller organizations, such as small businesses and state and local governments; and the ability to customize its implementation depending on an organization’s level of concern about cyber risks. 

The Impact on Public Sector Cybersecurity

NIST CSF 2.0 has been expanded to cover all public and private organizations, and it has been simplified and streamlined to support easier use and adoption by smaller organizations.

For public sector organizations that are new to risk management and the CSF, especially state and local governments, NIST has published lots of supporting information to help organizations get started quickly, even if there are limited resources for cybersecurity. NIST’s Small Business Quick Start Guide is a great place to start, as it provides actionable steps for smaller organizations to build their risk framework.

Cybersecurity is complex, and many government and best practices-driven requirements compete for limited resources – such as zero-trust, multi-factor authentication, remote work, compliance with executive orders and keeping up with new and emerging threats and vulnerabilities.

The CSF can help public sector organizations build a defensible cyber program that prioritizes investments across competing requirements and identifies solutions for closing gaps and making the biggest possible impact with the available and frequently limited resources.

State and Local Governments: A Path Forward

The CSF is mandatory for federal government agencies but optional for all other organizations, including state and local governments.

However, robust cybersecurity is critical for state and local governments to uphold public trust by protecting internal government data and their constituents’ information. It also supports the effective use of taxpayer money.

The CSF offers tremendous value in assessing current risks and driving forward your cybersecurity program. As with the previous version, CSF 2.0 continues to provide a standardized vocabulary and structured method for evaluating an organization’s current cybersecurity status, identifying areas for improvement, and developing a cybersecurity strategy to address identified gaps and deficiencies.

As they say, if you don’t know where you are going, any bus will take you there. The CSF helps organizations map out the route for properly managing organizational risks.

There are always many more things you would like to do to secure your environment than you have the time or resources to implement, and the CSF can help the public sector prioritize and justify its investments in cybersecurity. 

While the framework is optional at the state and local levels, I see tremendous value in the CSF and expect the requirements for adopting CSF 2.0 to expand over time.

Choosing the Right Partners

The government sector has the same concerns as private industry – ensuring that they can rely on the software and systems provided by their third-party technology suppliers to perform their critical governmental functions and properly secure government and constituent information.

It all comes down to having the confidence that technology service providers are implementing robust security policies, controls and practices effectively.

There are many ways to evaluate service providers. As a CISO, I put more weight behind assessments performed by an independent third party, such as FedRAMP/StateRAMP, ISO27001, and SOC 2, which assess security policies, controls, and risk management practices. The CSF certainly plays into this. Together, these frameworks and standards provide a multifaceted approach to evaluating the cybersecurity postures of third-party technology suppliers.

In conclusion, the NIST Cybersecurity Framework 2.0 represents a significant step forward in the collective endeavor to safeguard digital assets and infrastructures. By addressing critical areas such as governance, supply chain security and the specific needs of smaller organizations, CSF 2.0 equips a broader range of entities with the tools needed to navigate the complex cybersecurity landscape.

For public sector organizations, especially at the state and local levels, the updated framework offers a roadmap to enhance their cybersecurity postures and justify and prioritize their cybersecurity initiatives, ultimately creating a more secure and resilient digital ecosystem for all.

Chris Kubic is chief information security officer (CISO) at Euna Solutions, a provider of purpose-built, cloud-based solutions that power critical administrative functions and financial operations for the public sector. He previously served for more than 30 years at the National Security Agency (NSA), including four years as NSA CISO where he was responsible for developing and executing NSA’s security strategy, architecture and roadmap for protecting and defending NSA information and systems from cyber threats.