In the previous blog, we have gone through the components and features of NIST CSF 1.1. NIST releases new versions of the Cybersecurity Framework (CSF) to address evolving cybersecurity threats, incorporate technological advancements, and integrate feedback from industry practices. These updates ensure the framework remains relevant, effective, and comprehensive, helping product owners to better manage and mitigate emerging risks. NIST released an updated version CSF 2.0 on Feb 2024. In today’s blog, we will uncover the improvements of CSF 2.0 from CSF 1.1.

Key Changes in CSF 2.0

Introduction of GOVERN Function:

CSF v2.0 introduces a new function called GOVERN, which includes categories such as Organizational Context, Risk Management Strategy, Roles, Responsibilities, Authorities, Policy, Oversight, and Cybersecurity Supply Chain Risk Management.

Refinement of Categories and Subcategories:

Many existing categories and subcategories have been refined for better clarity and alignment with current cybersecurity practices. For instance, Identity Management, Authentication, and Access Control (PR.AA) have been separated from Identity Management and Access Control (PR.AC).

Addition of New Subcategories:

To address emerging cybersecurity needs, new subcategories have been added across various functions. Examples include subcategories in GOVERN like GV.RM-07 (Strategic opportunities) and GV.SC-10 (Supply chain security practices integrated into cybersecurity programs).

Enhancements in Existing Functions:

Existing functions such as IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER have seen enhancements with new subcategories and better structuring of existing ones to improve usability and comprehensiveness.

CSF Functions

The new version CSF 2.0 has 6 functions, 22 categories and 106 subcategories while the CSF 1.1 had 5 functions, 23 categories and 108 subcategories. Compared to 1.1 some of the categories are re-aligned and some are removed from the latest version. Let’s see few subcategory details below.

CSF Functions

1. GOVERN (GV)

This function underscores the importance of clear policies, defined roles, and responsibilities to ensure effective oversight. The framework encourages top management involvement, adopting a culture of cybersecurity awareness and commitment. By integrating cybersecurity into the overall governance structure, organizations/product owners can better align their cybersecurity strategies with business objectives, ensuring robust risk management and regulatory compliance. This ensures that cybersecurity measures are not simply reactive but proactive and aligned with the organization’s overall objectives. We will see their subcategories below

Sub Category	Details
Organizational Context (GV.OC)	Align cybersecurity strategies with the organization's/product owners mission, objectives, stakeholders, and activities. Ensure cybersecurity priorities are integrated into the overall business strategy.
Risk Management Strategy (GV.RM)	Conduct regular risk assessments to identify and evaluate cybersecurity risks. Ensure that risk mitigation efforts are proportionate to the potential impact on the organization.
Cybersecurity Supply Chain Risk Management (GV.SC)	Conduct thorough due diligence and continuous monitoring of suppliers' cybersecurity practices. Ensure suppliers are aware of and adhere to the organization's incident response protocols.
Roles, Responsibilities, and Authorities (GV.RR)	Define cybersecurity roles and responsibilities at all organizational levels Ensure that roles and responsibilities are communicated clearly across the organization
Policies, Processes, and Procedures (GV.PO)	Develop & communicate cybersecurity policies to all stakeholders, including employees, contractors, and third-party vendors.
Oversight (GV.OV)	Continuously review and update cybersecurity strategy. Maintain a feedback loop for refinement and correction.

2. IDENTIFY (ID)

This function assists organizations/product owners in identifying cybersecurity risks unique to their circumstances and aligning these risks with their broader mission and risk appetite outlined in GOVERN. This ensures that cybersecurity measures are prioritized according to their potential impact on the organization’s goals and objectives.

Sub Category	Details
Asset Management (ID.AM)	Maintain an up-to-date inventory of physical and digital assets, including hardware, software, and data. Implement processes to track and manage assets throughout their lifecycle, from acquisition to disposal. Prioritizing cybersecurity measures based on asset significance and risk strategy.
Risk Assessment (ID.RA)	Regularly perform assessments to identify and evaluate cybersecurity risks. Based on the assessment, Inform decision-making team and prioritizing cybersecurity efforts and allocation of resources.
Improvement (ID.IM)	Identifying enhancements to cybersecurity risk management processes and activities Ensuring continuous refinement and adaptation of cybersecurity measures

3. PROTECT (PR)

This function assists organizations/product owners in establishing safeguards and controls to prevent or lessen the impact of identified threats. It involves activities such as user awareness training, enhancing the resilience of physical and virtual infrastructure, and deploying suitable cybersecurity technologies. The goal is to decrease both the likelihood and severity of cybersecurity incidents by reinforcing the organization's defenses.

Sub Category	Details
Identity Management, Authentication, and Access Control (PR.AA)	Limiting access based on authorization and risk assessment. Setting up processes for granting, modifying, and revoking access rights. Regularly review and audit access permissions to ensure they remain appropriate and in line with current job functions and organizational needs. Ensuring data integrity and confidentiality.
Awareness and Training (PR.AT)	Educate staff with cybersecurity awareness and training
Data Security (PR.DS)	Implement controls and practices to safeguard data throughout its lifecycle, including storage, processing, and transmission. Categorize data based on its sensitivity and value, applying appropriate security measures according to its classification. Protecting confidentiality, integrity, and availability of information.
Platform Security (PR.PS)	Implement safeguards to protect information systems and assets from cybersecurity threats. Enforce access controls to prevent unauthorized access to systems and data.
Technology Infrastructure Resilience (PR.IR)	Managing security architectures for asset protection and organizational resilience. Ensuring continuous availability and integrity of assets in adverse situations.

4. DETECT (DE)

To reduce the impact of cybersecurity threats, the DETECT function prioritizes the rapid identification and response to potential threats. This involves employing strong detection mechanisms capable of distinguishing between minor incidents and major breaches. Early detection enables organizations to address issues before they escalate and impose substantial damage.

Sub Category	Details
Continuous Monitoring (DE.CM)	Monitoring assets to detect potential cybersecurity threats. Implement processes to identify unusual or suspicious activities that could indicate a breach or threat. Utilize threat intelligence to enhance detection capabilities and understand emerging threats. Integrate detection processes with incident response plans to ensure timely and effective action in the event of a security incident.
Adverse Event Analysis (DE.AE)	Evaluating detected anomalies to determine their nature, potential impact, and whether they represent security incidents. Insights into nature and severity of threats. Taking appropriate actions based on the analysis to mitigate or address identified anomalies.

5. RESPOND (RS)

The RESPOND function helps ensure a swift and effective reaction post cybersecurity incident. This involves containing the damage, maintaining stakeholder trust, and safeguarding the organization’s/product owners reputation. An effective incident response relies on having well-defined procedures, clear communication, and prompt actions to minimize losses and quickly restore normal operations.

Sub Category	Details
Incident Management (RS.MA)	Develop and implement response plans to manage and mitigate the effects of cybersecurity incidents. Minimizing potential damage. After an incident, analyze response activities and outcomes to identify lessons learned.
Incident Analysis (RS.AN)	Investigating incidents with data collected during security incident to guide response and recovery efforts. Evaluate potential impact of security inciden. Informing mitigation strategies.
Incident Response Reporting and Communication (RS.CO)	Coordinating and communicating response activities with stakeholders, employees and partners. Maintaining compliance with legal and regulatory requirements.
Incident Mitigation (RS.MI)	Define and apply mitigation measures to reduce the impact of security incidents. Review and update mitigation strategies based on lessons learnt from the incident.

6. RECOVER (RC)

The RECOVER function aims to restore affected assets and operations promptly and efficiently after a cybersecurity incident. This involves recovering compromised systems, retrieving lost data, and taking steps to prevent similar incidents in the future. The objective is to maintain business continuity and reduce the long-term effects of cybersecurity breaches.

Sub Category	Details
Incident Recovery Plan Execution (RC.RP)	Create and maintain recovery plans that outline procedures for restoring normal operations after a cybersecurity incident. Timely recovery of operations.
Incident Recovery Communication (RC.CO)	Coordination of recovery activities Evaluate potential impact of security inciden. Communication with internal and external parties post recovery. Post incident review

NIST CSF 2.0 Reference Tool

NIST offers an online NIST CSF 2.0 Reference Tool (https://csrc.nist.gov/Projects/cybersecurity-framework/Filters#/csf/filters) that allows users to explore the Draft CSF 2.0 Core, including its functions, categories, subcategories, and implementation examples. The tool provides draft Core in both human-readable and machine-readable formats, available in JSON and Excel. Informative References, which will link to other frameworks, are expected to be added shortly.

Conclusion

NIST CSF 2.0 benefits the electronic product industry by providing a structured approach to managing cybersecurity risks, ensuring products are secure by design, and aligning with regulatory requirements. It helps organizations/product owners identify, protect, detect, respond to, and recover from cybersecurity threats. At Embien we support customers by integrating CSF 2.0 guidelines related to identifying, detecting and protecting categories from design to testing. They ensure that products meet cybersecurity standards and implement robust security measures. This collaboration enhances product security, reduces vulnerabilities, and supports compliance.