The National Institute of Standards and Technology has updated its Cybersecurity Framework for 2024. Version 2.0 of the NIST CSF, the first major update since the framework was released a decade ago, was created with the goal of expanding the primary audience from critical infrastructure to all organizations. In general, the NIST CSF aims to standardize practices to ensure uniform protection of all U.S. cyber assets.

TechRepublic’s cheat sheet about the NIST CSF is an overview of this new government recommended best practice, and it includes steps on implementing the security framework.

What is the NIST Cybersecurity Framework?

The NIST CSF is a set of optional standards, best practices and recommendations for improving cybersecurity and risk management at the organizational level. The goal of the CSFl is to create a common language, a set of standards and an easily executable series of goals for improving cybersecurity and limiting cybersecurity risk.

NIST has thorough documentation of the CSF on its website, along with links to FAQs, industry resources and other information necessary to ease enterprise transition into a CSF world.

Is the NIST Cybersecurity Framework just for government use?

The NIST Framework isn’t just for government use — it can be adapted to businesses of any size. The CSF affects anyone who makes decisions about cybersecurity and cybersecurity risks in their organizations, and those responsible for implementing new IT policies.

The NIST CSF standards are optional for private businesses — that is, there’s no penalty for private organizations that don’t wish to follow them. This doesn’t mean the NIST CSF isn’t an ideal jumping off point for organizations, though — it was created with scalability and gradual implementation so any business can benefit and improve its security practices and prevent a cybersecurity event.

Does the NIST Cybersecurity Framework apply outside of the United States?

Although the NIST CSF is a publication of the U.S. government, it may be useful to businesses internationally. The NIST CSF is aligned with the International Organization for Standardization and the International Electrotechnical Commission. Version 2.0 will likely be translated by community volunteers in the future, NIST said. The cybersecurity outcomes described in the CSF are “sector-, country-, and technology-neutral,” NIST wrote in Version 2.0.

SEE: All of TechRepublic’s cheat sheets

What’s new in Version 2.0 of the NIST Cybersecurity Framework?

Version 2.0 of the NIST CSF expands the scope of the framework from critical infrastructure to organizations in every sector and adds new emphasis on governance. The governance portion positions cybersecurity as one of the most important sources of enterprise risk that senior business leaders should consider, alongside finance, reputation and others.

The NIST CSF 2.0 includes Quick Start guides, reference tools and organizational and community profile guides. The reference tools were created to provide organizations a simplified way to implement the CSF compared to Version 1.1.

Version 2.0 of the NIST CSF adds:

  • The Function of “Govern,” which focuses on how organizations can make informed decisions regarding their cybersecurity strategy
  • Implementation Examples and Informative References, which will be updated online regularly
  • Organizational Profiles, which may help them determine their current status in terms of cybersecurity and what status they might want to move to.

Why was the NIST Cybersecurity Framework created?

The cybersecurity world is fragmented, despite its ever-growing importance to daily business operations. Organizations fail to share information, IT professionals and C-level executives sidestep their own policies and organizations speak their own cybersecurity languages. NIST’s goal with the creation of the CSF is to help eliminate the chaotic cybersecurity landscape we find ourselves in.

The NIST CSF provides a proven method by which organizations can address their specific cybersecurity needs within a flexible but highly regimented set of instructions.

While version 2.0 is still too new to have proven success stories, NIST has recorded the benefits of 1.0. For example, the University of Chicago, which receives government funding, used the CSF to create a prioritized data security mitigation and remediation plan and consistent data management standards.

Since NIST standards are rigorous, adhering to them means an organization likely follows other existing corporate security guidelines as well. Use of the NIST CSF may be a factor in which organizations receive government funding.

When was the NIST Cybersecurity Framework created?

Former President Barack Obama signed Executive Order 13636 in 2013, titled Improving Critical Infrastructure Cybersecurity, which set the stage for the NIST Cybersecurity Framework that was released in 2014.

Former President Donald Trump’s 2017 cybersecurity executive order went one step further and made the framework created by Obama’s order into federal government policy.

NIST CSF Version 2.0 was created in concert with the March 2023 National Cybersecurity Strategy under President Joe Biden.

How do I prove NIST compliance?

There is no one-size-fits-all certification for compliance with NIST’s many different cybersecurity recommendations and frameworks; however, “NIST compliance” often refers to SP 800-53, “Security and Privacy Controls for Information Systems and Organizations.” NIST 800-53 is a publication from NIST that outlines protections for information and information systems. Federal agencies must be NIST 800-53 compliant. NIST 800-53 is potentially useful as a standard for other organizations as well due to its thoroughness and proven effectiveness.

Non-federal organizations or contractors that do business with the U.S. government may need to prove compliance with NIST SP 800-171, a standard for the protection of controlled unclassified information.

Both NIST SP 800-53 and NIST SP 800-171 can involve internal or third-party audits. NIST provides a list of accredited certifying laboratories that can provide third-party audits.

Organizations that want NIST validation on their products can use third-party vendors to prove the products hold up to the NIST IT Security Validation Program.

What are the six core activities of the NIST Cybersecurity Framework?

As of Version 2.0 of the NIST framework, these are the six core activities: Identify, protect, detect, respond, recover and govern. These activities, or functions, of the NIST framework are used to organize cybersecurity efforts at the most basic level.

What are the four components of the NIST Cybersecurity Framework?

The framework is divided into four components: Core, Organizational Profiles, Tiers and Informative References.

Core

The core component is “a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes.” It is further broken down into three elements: Functions, categories and subcategories.

  • Functions: This section explains the six functions: Identify, protect, detect, respond, recover and govern (Figure A). Together, these six functions form a top-level approach to securing systems and responding to threats. Think of them as your basic incident management tasks.

Figure A

Diagram showing the functions according to NIST.
The functions according to NIST. Image: NIST
  • Categories: Each function contains categories used to identify specific tasks or challenges within it. For example, the protect function could include access control, identity management, data security and platform security.
  • Subcategories: These are further divisions of categories with specific objectives. The data security category could be divided into tasks like protecting data at rest, in transit and in use or creating, protecting, maintaining and testing backups.

Organizational Profiles

Profiles are both outlines of an organization’s current cybersecurity status and roadmaps toward CSF goals for stronger security postures (Figure B). NIST said having multiple profiles — current and goal — can help an organization find weak spots in its cybersecurity implementations and make moving from lower to higher tiers easier.

Figure B

NIST suggests using the Organizational Profiles as an ongoing assessment of an organization's cybersecurity maturity.
NIST suggests using the Organizational Profiles as an ongoing assessment of an organization’s cybersecurity maturity. Image: NIST

Profiles help connect the functions, categories and subcategories to business requirements, risk tolerance and resources of the larger organization it serves.

Tiers

There are four tiers of implementation, and while CSF documents don’t consider them maturity levels, the higher tiers are considered more complete implementation of CSF standards for protecting critical infrastructure. NIST considers Tiers useful for informing an organization’s current and target Profiles.

  • Tier 1: Called partial implementation, organizations at Tier 1 have an ad-hoc and reactive cybersecurity posture to protect their data. They have little awareness of organizational cybersecurity risk and any plans implemented are often done inconsistently.
  • Tier 2: At the tier called risk-informed, organizations may be approving cybersecurity measures, but implementation is still piecemeal. They are aware of risks, have plans and have the proper resources to protect themselves from a data breach, but haven’t quite gotten to a proactive point.
  • Tier 3: The third tier is called repeatable, meaning that an organization has implemented NIST CSF standards company-wide and is able to repeatedly respond to cyber crises. Policy is consistently applied, and employees are informed of risks.
  • Tier 4: Called adaptive, this tier indicates total adoption of the NIST CSF. Adaptive organizations aren’t just prepared to respond to cyber threats — they proactively detect threats and predict issues based on current trends and their IT architecture.

Informative References and other online resources

The Informative References provided with Version 2.0 of the CSF are documentation, steps for execution, standards and other guidelines. A prime example in the manual Windows update category would be a document outlining steps to manually update Windows PCs. In Version 2.0, Informative References, Implementation Examples and Quick-Start Guides can be found through the NIST CSF website or the CSF document.

When is the NIST Cybersecurity Framework updated?

As the needs of organizations change, NIST plans to continually update the CSF to keep it relevant. Updates to the CSF happen as part of NIST’s annual conference on the CSF and take into account feedback from industry representatives, via email and through requests for comments and requests for information NIST sends to large organizations.

What organizations can use the NIST Cybersecurity Framework?

The NIST CSF affects everyone who touches a computer for business. IT teams and CXOs are responsible for implementing it; regular employees are responsible for following their organization’s security standards; and business leaders are responsible for empowering their security teams to protect their critical infrastructure. Specifically, the NIST CSF 2.0’s new Govern function includes communication channels between executives, managers and practitioners — anyone with a stake in the technological health of the company.

The degree to which the NIST CSF will affect the average person won’t lessen with time either, at least not until it sees widespread implementation and becomes the new standard in cybersecurity planning.

How can I implement the NIST Cybersecurity Framework?

Start working on implementing the CSF by visiting NIST’s Cybersecurity Framework website. Of particular interest to IT decision-makers and security professionals is NIST’s Framework Resources page, where you’ll find methodologies, implementation guidelines, case studies, educational materials, example profiles and more.

“The CSF does not prescribe how outcomes should be achieved,” NIST points out in the framework. “Rather, it links to online resources that provide additional guidance on practices and controls that could be used to achieve those outcomes.”

The NIST CSF can improve the security posture of organizations large and small, and it could potentially position you as a leader in forward-looking cybersecurity practices or prevent a catastrophic cybersecurity event.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays