NIST CSF V2: What’s Hot and What’s Not!

NIST is to the US government what The Watcher is to the Marvel universe. In theory, it should simply observe the world around it, but in reality, it responds to evolving threats through interference.

 

Despite the buzz around the update to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), you might find it hard to say that any compliance falls under the category of “hot.” While a common response to compliance, the NIST CSF 2.0 retains much of its flexibility and risk-based style while updating itself for modern IT environments. Published on February 26, 2024, the updated framework can seem overwhelming at first.

 

Once you dig into it, you’ll find NIST CSF 2.0 has a new format and organization that may make it easier to manage, especially for small and medium-sized organizations.

 

Why NIST updated the Cybersecurity Framework (CSF)

The Executive Order 14028 on Improving the Nation’s Cybersecurity set out an ambitious objective across the US Federal Government, and NIST CSF 2.0 is part of achieving it. As organizations embrace cloud technologies, the NIST CSF needed to respond to the new cybersecurity risks arising from modernized IT environments.

What’s Not Changed

 

NIST recognizes that despite commonalities, IT environments are unique. With that in mind, the CSF remains flexible by requiring organizations to base their security programs around:

  • Common and unique risks
  • Risk appetites and tolerances
  • Mission
  • Objectives that help achieve the mission

 

The NIST CSF 2.0 Core remains organized as follows:

  • Functions: highest level of organization for cybersecurity outcomes
  • Categories: groups of security activities across the cybersecurity risk management life cycle of Govern, Identify, Protect, Detect, Respond, Recover
  • Subcategories: individual risk mitigation activities

 

The maturity model approach also remains the same with NIST reiterating the four tiers that help set the overall tone for an organization’s risk management approach:

  • Tier 1: Partial
  • Tier 2: Risk-Informed
  • Tier 3: Repeatable
  • Tier 4 Adaptive

 

What’s Minimally Changed

Many Subcategories remain similar to the previous iteration, despite having updated language. Across the 115 Subcategories, 99 map directly back to CSF 1.1. In several cases, the changes provide new language that enables organizations to understand how the CSF fits into managing these digitally transformed environments. For example, consider the following new Categories within the Protect Function:

  • Platform Security (PR.PS): The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization’s risk strategy to protect their confidentiality, integrity, and availability
  • Technology Infrastructure Resilience (PR.IR): Security architectures are managed with the organization’s risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience

 

Most of the Subcategories within these Categories directly map back to CSF 1.1, refocusing the activities in response to cloud environments. For example, some of the Subcategories under Platform Security include:

 

NIST CSF 2.0 Informative References to NIST CSF 1.1
PR.PS-01: Configuration management practices are established and applied PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)

 

PR.IP-3: Configuration change control processes are in place

 

PR.PT-2: Removable media is protected and its use restricted according to policy

 

PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities

 

PR.PS-02: Software is maintained, replaced, and removed commensurate with risk PR.IP-12: A vulnerability management plan is developed and implemented

 

PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition

PR.PS-03: Hardware is maintained, replaced, and removed commensurate with risk PR.MA-1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools

 

PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition

PR.PS-04: Log records are generated and made available for continuous monitoring PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy

 

In many cases, the updates consolidate several Subcategories, seeming to streamline the language in ways that respond to new technologies.

 

Additionally, NIST CSF 2.0 provides new implementation examples that include concise, action-oriented steps that help organizations understand ways to achieve outcomes.

 

What’s Hot: The New Govern Function

The change garnering the most buzz is CSF 2.0’s Governance Function. In this edition, NIST essentially consolidated the governance requirements that were scattered across other Functions to highlight the importance of oversight. It defines Governance as:

The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.

 

CSF 2.0 the continues to list the following Categories:

  • Organizational Context (GV.OC): Understanding the organization’s cybersecurity risk decisions in the context of mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements
  • Risk Management Strategy (GV.RM): Establishing and communicating the priorities, constraints, risk tolerance and appetite statements, and assumptions that support risk decisions
  • Roles, Responsibilities, and Authorities (GV.RR): Establishing and communicating cybersecurity roles, responsibilities, and authorities to foster accountability, performance, assessment, and continuous improvement
  • Roles, Responsibilities, and Authorities (GV.RR): Establishing, communicating, and enforcing the organization’s cybersecurity policy
  • Oversight (GV.OV): Informing, improving, and adjusting the risk management strategy based on the results of activities and performance reviews
  • Cybersecurity Supply Chain Risk Management (GV.SC): Identifying, establishing, management, monitoring, and improving cyber supply chain risk management processes

 

When looking at the Informative References mapping back to CSF 1.1, most Subcategories under Govern were sprinkled throughout the previous version. For example, the CSF 2.0 pulls most of the Cybersecurity Supply Chain Risk Management Subcategory from CSF 1.1’s Identify Function and its Supply Chain Risk Management (ID.SC) Category. Similar to reorganization across other Functions and Categories, CSF 2.0’s GV.SC wrapped assigning responsibility as a Subcategory where CSF 1.1 previously hid it within the Identify Asset Management (ID.AM) Function.

 

CSF 2.0 does include the following new Subcategories within the Govern Function:

  • RM-07: Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions
  • RR-01: Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving
  • OV-01: Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction
  • OV-02: The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks
  • OV-03: Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed

 

What’s Hot: Other New Subcategories in CSF 2.0

Comparing NIST CSF 2.0 to the Informative References to NIST CSF 1.1 shows that the overall “new” activities are limited to the following:

 

Function Category Subcategory
Identify Asset Management ID.AM-07: Inventories of data and corresponding metadata for designated data types are maintained
Identify Improvement ID.IM-01: Improvements are identified from evaluations
Protect Identity Management, Authentication, and Access Control PR.AA-04: Identity assertions are protected, conveyed, and verified
Protect Platform Security PR.PS-05: Installation and execution of unauthorized software are prevented
Respond Incident Management RS.MA-05: The criteria for initiating incident recovery are applied
Respond Incident Analysis RS.AN-07: Incident data and metadata are collected, and their integrity and provenance are preserved
Respond Incident Recovery Plan Execution RS.AN-08: An incident’s magnitude is estimated and validated
Respond Incident Recovery Plan Execution RC.RP-03: The integrity of backups and other restoration assets is verified before using them for restoration
Respond Incident Recovery Plan Execution RC.RP-04: Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms
Respond Incident Recovery Plan Execution RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed
Respond Incident Recovery Plan Execution RC.RP-06: The end of incident recovery is declared based on criteria, and incident-related documentation is completed

 

GRAYLOG FOR NIST CSF 2.0

With Graylog’s security analytics and anomaly detection capabilities, you get the cybersecurity platform you need without the complexity that makes your team’s job harder. With our powerful, lightning-fast features and intuitive user interface, you can lower your labor costs while reducing alert fatigue and getting the answers you need – quickly.

Our prebuilt search templates, dashboards, correlated alerts, and dynamic look-up tables enable you to get immediate value from your logs while empowering your security team.

For more information about how Graylog Security can help you achieve your NIST CSF 2.0 objectives, contact us today.

 

 

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.