On February 26, 2024, NIST released version 2.0 of the Cybersecurity Framework. This blog reviews the fundamental changes introduced in CSF 2.0 and data-centric security considerations that should be made when aligning with the new framework.
As cybercriminals become more sophisticated, efficient, and cunning, it is critical to evolve how we protect our data from them from both a technology and operational perspective. The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) has been serving as a guiding beacon on how organizations can defend against cybercrime since 2014, and ten years later, NIST has released the latest version of the CSF.
Key Changes
NIST CSF 2.0 introduces several updates to the previous version, including an expanded scope, a new function, and a reorganization of categories and sub-categories.
Expanded Scope:
CSF 2.0 is much broader than the earlier version by extending guidance to organizations of all sizes, sectors, and maturity levels, not just critical infrastructure. The guidance has been changed throughout the framework to reflect this broader scope. This change enables all organizations, such as small businesses, to utilize the framework effectively. This wider scope of the new framework version also allows it to be applied globally and not just within the United States of America.
Introduction of a New Function:
CSF 2.0 continues with the original five functions of IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER, adding a new function, GOVERN. The GOVERN function emphasizes governance-related outcomes. The new CSF 2.0 model adds the GOVERN Function in which all other Functions revolve; this is critical because the GOVERN function highlights the significance of governance in overall cybersecurity risk management. Effective governance is the keystone of a successful organization, providing a structure for order, transparency, and accountability. It ensures responsible decision-making and guards against potential pitfalls caused by making decisions based on preference. Figure 1 below shows the evolution of NIST CSF 1.1 to CSF 2.0.
Reorganization of Categories and Subcategories within Functions:
The introduction of the GOVERN function also restructured the existing IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER functions by moving some categories and subcategories to the GOVERN function. Below is a summary of each function.
- GOVERN: The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.
- IDENTIFY: The organization’s current cybersecurity risks are understood.
- PROTECT: Safeguards to manage the organization’s cybersecurity risks are used.
- DETECT: Possible cybersecurity attacks and compromises are found and analyzed.
- RESPOND: Actions regarding a detected cybersecurity incident are taken.
- RECOVER: Assets and operations affected by a cybersecurity incident are restored.
Understanding NIST CSF 2.0 Current and Target Profiles
CSF 2.0 often refers to organizational profiles. An organizational profile uses current and target profiles or cybersecurity postures aligned to the CSF 2.0 Core, including the Functions, Categories, and Subcategories within CSF 2.0. These profiles are used to understand, assess, tailor, prioritize, and communicate the Core’s outcomes as they are evaluated today and where the organization wishes to improve.
Every Organizational Profile includes one or both of the following:
- A Current Profile specifies the Core outcomes that an organization is achieving (or attempting to achieve) and characterizes how or to what extent each outcome is achieved.
- A Target Profile specifies the desired outcomes that an organization has selected and prioritized to achieve its cybersecurity risk management objectives. It considers anticipated changes to the organization’s cybersecurity posture, such as new requirements, new technology adoption, and threat intelligence trends.
For example, you estimate your current profile score to be a two for data security under the PROTECT Function of CSF 2.0, and your target score is Three or even Four. To increase your Target Profile score, you may invest in a data security solution to improve how data is managed, consistent with the organization’s risk strategy, while protecting the confidentiality, integrity, and availability of information, improving your PROTECT Function score.
Data Security Considerations when using NIST CSF 2.0 to assess your cybersecurity risk
A data-centric security approach can help you align more closely to the CSF 2.0 framework. When evaluating your current profile and defining your target profile, here are some areas of focus you may want to consider when it comes to protecting data:
- GOVERN:
- Do you have sufficient visibility and control over your data layer to improve your security and compliance posture?
- Are you using risk mitigation and management workflows to track and communicate ongoing risk and remediation activities?
- As a best practice, have you incorporated readily available reports and dashboards that effectively communicate observations around data risk profiles, trends, and gaps?
- IDENTIFY:
- Can you categorize, inventory, and monitor systems containing or handling structured and unstructured data?
- Are your data assets ranked according to risk and other attributes such as access, location, and criticality?
- PROTECT:
- How do you protect your sensitive data throughout the data lifecycle, whether at rest, in motion, or in use?
- Can you automatically protect your data based on policies defined in the GOVERN Function at scale on-premises, in the cloud, or with big data repositories?
- DETECT:
- Can you constantly monitor for unwanted or malicious behavior and take real-time action to block unauthorized activity?
- How quickly can you notify the response teams?
- RESPOND:
- Have you defined manual and automated workflows to remediate issues based on severity and complexity
- How quickly can you act when unwanted activity is identified in the DETECT Function?
- RECOVER:
- What processes do you have in place to perform post-event forensics?
- Can you develop recommended policy changes or control improvements to minimize similar risks in the future?
Thales and Imperva deliver a comprehensive solution set that provides data governance and protection wherever it resides. The data governance and security power of Imperva Data Security Fabric, combined with Thales’ CipherTrust Data Security Platform, Hardware Security Modules, and High-Speed Encryption, helps organizations effectively align to the NIST CSF 2.0 framework.
View our solution guide explaining how Imperva and Thales join forces to align to NIST CSF 2.0.
Stay tuned for our upcoming blog on effectively increasing your organizational profile with data security.
Try Imperva for Free
Protect your business for 30 days on Imperva.