NIST CSF-2.0 : A Comprehensive Guide

In the previous blog, we have gone through the components and features of NIST CSF 1.1. NIST releases new versions of the Cybersecurity Framework (CSF) to address evolving cybersecurity threats, incorporate technological advancements, and integrate feedback from industry practices. These updates ensure cybersecurity frameworks remain relevant, effective, and comprehensive, helping product owners to better manage and mitigate emerging risks. NIST released an updated version — NIST CSF 2.0 — on Feb 2024. In today's blog, we will uncover the improvements of NIST CSF 2.0 from CSF 1.1.

Key Changes in NIST CSF 2.0

Introduction of GOVERN Function:

NIST CSF 2.0 introduces a new function called GOVERN, which includes categories such as Organizational Context, Risk Management Strategy, Roles, Responsibilities, Authorities, Policy, Oversight, and Cybersecurity Supply Chain Risk Management. The NIST CSF 2.0 GOVERN function for organizations establishes accountability at the governance level and ensures that cybersecurity is treated as a business priority rather than just a technical concern.

Refinement of Categories and Subcategories:

Many existing categories and subcategories of cybersecurity frameworks have been refined for better clarity and alignment with current cybersecurity practices. For instance, Identity Management, Authentication, and Access Control (PR.AA) have been separated from Identity Management and Access Control (PR.AC).

Addition of New Subcategories:

To address emerging cybersecurity needs, new subcategories have been added across various CSF functions. Examples include subcategories in GOVERN like GV.RM-07 (Strategic opportunities) and GV.SC-10 (Supply chain security practices integrated into cybersecurity programs).

Enhancements in Existing Functions:

Existing CSF functions such as IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER have seen enhancements with new subcategories and better structuring of existing ones to improve usability and comprehensiveness. Together with GOVERN, NIST CSF 2.0 now has 6 CSF functions that provide a complete framework core for organizational cybersecurity risk management.

CSF Functions

NIST CSF 2.0 has 6 CSF functions, 22 categories and 106 subcategories while CSF 1.1 had 5 CSF functions, 23 categories and 108 subcategories. Compared to 1.1, some of the categories are re-aligned and some are removed from the latest version. The framework core of NIST CSF 2.0 is designed to be scalable, applicable across all sectors and organization sizes. Let's see a few subcategory details below.

CSF Functions

1. GOVERN (GV)

This CSF function underscores the importance of clear policies, defined roles, and responsibilities to ensure effective oversight. The NIST CSF 2.0 GOVERN function for organizations encourages top management involvement, adopting a culture of cybersecurity awareness and commitment. By integrating cybersecurity into the overall governance structure — a cornerstone of modern cybersecurity frameworks — organizations and product owners can better align their cybersecurity strategies with business objectives, ensuring robust risk management and regulatory compliance. This ensures that cybersecurity measures are not simply reactive but proactive and aligned with the organization's overall objectives. We will see their subcategories below:

Sub Category	Details
Organizational Context (GV.OC)	Align cybersecurity strategies with the organization's/product owners mission, objectives, stakeholders, and activities. Ensure cybersecurity priorities are integrated into the overall business strategy.
Risk Management Strategy (GV.RM)	Conduct regular risk assessments to identify and evaluate cybersecurity risks. Ensure that risk mitigation efforts are proportionate to the potential impact on the organization.
Cybersecurity Supply Chain Risk Management (GV.SC)	Conduct thorough due diligence and continuous monitoring of suppliers' cybersecurity practices. Ensure suppliers are aware of and adhere to the organization's incident response protocols.
Roles, Responsibilities, and Authorities (GV.RR)	Define cybersecurity roles and responsibilities at all organizational levels Ensure that roles and responsibilities are communicated clearly across the organization
Policies, Processes, and Procedures (GV.PO)	Develop & communicate cybersecurity policies to all stakeholders, including employees, contractors, and third-party vendors.
Oversight (GV.OV)	Continuously review and update cybersecurity strategy. Maintain a feedback loop for refinement and correction.

2. IDENTIFY (ID)

This CSF function assists organizations and product owners in identifying cybersecurity risks unique to their circumstances and aligning these risks with their broader mission and risk appetite outlined in GOVERN. This ensures that cybersecurity measures are prioritized according to their potential impact on the organization's goals and objectives. It is a foundational element of the framework core of NIST CSF 2.0.

Sub Category	Details
Asset Management (ID.AM)	Maintain an up-to-date inventory of physical and digital assets, including hardware, software, and data. Implement processes to track and manage assets throughout their lifecycle, from acquisition to disposal. Prioritizing cybersecurity measures based on asset significance and risk strategy.
Risk Assessment (ID.RA)	Regularly perform assessments to identify and evaluate cybersecurity risks. Based on the assessment, inform decision-making teams and prioritize cybersecurity efforts and allocation of resources.
Improvement (ID.IM)	Identifying enhancements to cybersecurity risk management processes and activities Ensuring continuous refinement and adaptation of cybersecurity measures

3. PROTECT (PR)

This CSF function assists organizations and product owners in establishing safeguards and controls to prevent or lessen the impact of identified threats. It involves activities such as user awareness training, enhancing the resilience of physical and virtual infrastructure, and deploying suitable cybersecurity technologies. The goal is to decrease both the likelihood and severity of cybersecurity incidents by reinforcing the organization's defenses — as defined in the framework core of NIST CSF 2.0.

Sub Category	Details
Identity Management, Authentication, and Access Control (PR.AA)	Limiting access based on authorization and risk assessment. Setting up processes for granting, modifying, and revoking access rights. Regularly review and audit access permissions to ensure they remain appropriate and in line with current job functions and organizational needs. Ensuring data integrity and confidentiality.
Awareness and Training (PR.AT)	Educate staff with cybersecurity awareness and training
Data Security (PR.DS)	Implement controls and practices to safeguard data throughout its lifecycle, including storage, processing, and transmission. Categorize data based on its sensitivity and value, applying appropriate security measures according to its classification. Protecting confidentiality, integrity, and availability of information.
Platform Security (PR.PS)	Implement safeguards to protect information systems and assets from cybersecurity threats. Enforce access controls to prevent unauthorized access to systems and data.
Technology Infrastructure Resilience (PR.IR)	Managing security architectures for asset protection and organizational resilience. Ensuring continuous availability and integrity of assets in adverse situations.

4. DETECT (DE)

To reduce the impact of cybersecurity threats, the DETECT CSF function prioritizes the rapid identification and response to potential threats. This involves employing strong detection mechanisms capable of distinguishing between minor incidents and major breaches. Early detection enables organizations to address issues before they escalate and impose substantial damage — a key principle of NIST CSF 2.0 and modern cybersecurity frameworks.

Sub Category	Details
Continuous Monitoring (DE.CM)	Monitoring assets to detect potential cybersecurity threats. Implement processes to identify unusual or suspicious activities that could indicate a breach or threat. Utilize threat intelligence to enhance detection capabilities and understand emerging threats. Integrate detection processes with incident response plans to ensure timely and effective action in the event of a security incident.
Adverse Event Analysis (DE.AE)	Evaluating detected anomalies to determine their nature, potential impact, and whether they represent security incidents. Insights into nature and severity of threats. Taking appropriate actions based on the analysis to mitigate or address identified anomalies.

5. RESPOND (RS)

The RESPOND CSF function helps ensure a swift and effective reaction post cybersecurity incident. This involves containing the damage, maintaining stakeholder trust, and safeguarding the organization's reputation. An effective incident response relies on having well-defined procedures, clear communication, and prompt actions to minimize losses and quickly restore normal operations — all embedded in the framework core of NIST CSF 2.0.

Sub Category	Details
Incident Management (RS.MA)	Develop and implement response plans to manage and mitigate the effects of cybersecurity incidents. Minimizing potential damage. After an incident, analyze response activities and outcomes to identify lessons learned.
Incident Analysis (RS.AN)	Investigating incidents with data collected during security incident to guide response and recovery efforts. Evaluate potential impact of security incident. Informing mitigation strategies.
Incident Response Reporting and Communication (RS.CO)	Coordinating and communicating response activities with stakeholders, employees and partners. Maintaining compliance with legal and regulatory requirements.
Incident Mitigation (RS.MI)	Define and apply mitigation measures to reduce the impact of security incidents. Review and update mitigation strategies based on lessons learnt from the incident.

6. RECOVER (RC)

The RECOVER CSF function aims to restore affected assets and operations promptly and efficiently after a cybersecurity incident. This involves recovering compromised systems, retrieving lost data, and taking steps to prevent similar incidents in the future. The objective is to maintain business continuity and reduce the long-term effects of cybersecurity breaches — completing the framework core of NIST CSF 2.0.

Sub Category	Details
Incident Recovery Plan Execution (RC.RP)	Create and maintain recovery plans that outline procedures for restoring normal operations after a cybersecurity incident. Timely recovery of operations.
Incident Recovery Communication (RC.CO)	Coordination of recovery activities Evaluate potential impact of security incident. Communication with internal and external parties post recovery. Post incident review

NIST CSF 2.0 Reference Tool

NIST offers an online NIST CSF 2.0 Reference Tool (https://csrc.NIST.gov/Projects/cybersecurity-framework/Filters#/CSF/filters) that allows users to explore the Draft CSF 2.0 Core, including its CSF functions, categories, subcategories, and implementation examples. The tool provides draft Core in both human-readable and machine-readable formats, available in JSON and Excel. Informative References, which will link to other cybersecurity frameworks, are expected to be added shortly.

Embien’s Digital Transformation Services and Cybersecurity Services support NIST CSF 2.0, ensuring secure and resilient system development.

Conclusion

NIST CSF 2.0 benefits the electronic product industry by providing a structured approach to managing cybersecurity risks across all six CSF functions, ensuring products are secure by design, and aligning with regulatory requirements. It helps organizations and product owners identify, protect, detect, respond to, and recover from cybersecurity threats — all governed by the new NIST CSF 2.0 GOVERN function for organizations. The framework core of NIST CSF 2.0 makes these cybersecurity frameworks actionable at every level of an organization. At Embien we support customers by integrating CSF 2.0 guidelines related to identifying, detecting and protecting categories from design to testing. We ensure that products meet cybersecurity standards and implement robust security measures aligned with the framework core of NIST CSF 2.0. This collaboration enhances product security, reduces vulnerabilities, and supports compliance.