Start your day with intelligence. Get The OODA Daily Pulse.

The NIST Cybersecurity Framework (CSF) 2.0, an evolution of its predecessor, is a comprehensive guide designed to assist organizations across various sectors in managing and mitigating cybersecurity risks effectively. This framework, while not prescribing specific actions, offers a taxonomy of high-level cybersecurity outcomes, enabling organizations, regardless of their size, sector, or maturity, to better understand, assess, prioritize, and communicate their cybersecurity efforts.  This post is a summary of the NIST CSF 2.0. 

Summary

At its core, the CSF 2.0 is structured around the CSF Core, Profiles, and Tiers, supplemented by a wealth of online resources:

The CSF Core outlines a set of cybersecurity activities and outcomes, categorized into five primary functions: Identify, Protect, Detect, Respond, and Recover. These functions provide a strategic view of the lifecycle of managing cybersecurity risk. 

Profiles, another critical component, allow organizations to tailor the CSF to their specific needs, objectives, and risk appetite, facilitating a more effective and efficient approach to cybersecurity risk management.

Tiers, on the other hand, help organizations gauge their approach to managing cybersecurity risk and the processes in place to ensure risk is managed to an acceptable level. 

The CSF 2.0 emphasizes the importance of communication and integration in cybersecurity risk management. It advocates for a shared understanding and approach to managing cybersecurity risk, not just within an organization but also in its interactions with third parties. This shared understanding is crucial for making informed decisions about cybersecurity expenditures and actions, ultimately enhancing an organization’s cybersecurity posture.  The NIST Cybersecurity Framework 2.0 serves as a foundational resource for organizations seeking to navigate the complex landscape of cybersecurity risks. It encourages a proactive, nuanced approach to cybersecurity, emphasizing flexibility, adaptability, and continuous improvement. 

The NIST Cybersecurity Framework (CSF) 2.0

NIST CSF 2.0 Core

The CSF Core:

  • Introduces the novel GOVERN Function, emphasizing the critical role of governance in cybersecurity risk management. This addition underscores the importance of establishing, communicating, and monitoring an organization’s cybersecurity strategy, policy, and expectations as foundational elements of a holistic cybersecurity program. 
  • A forward-looking approach to cybersecurity, designed to resonate with those charged with operationalizing risk management within an organization. It is a testament to the framework’s adaptability, intended to be applicable across a diverse array of technological environments and future technological advancements. and
  • Serves as a compass for organizations navigating the complex and ever-evolving landscape of cybersecurity risks. It provides a structured yet flexible framework for understanding, assessing, and addressing cybersecurity risks in alignment with an organization’s specific needs and objectives.

NIST CSF 2.0 Profiles

The concept known as CSF Profiles, which serve as a pivotal mechanism for organizations to articulate and manage their cybersecurity posture. The essence of CSF Profiles lies in their ability to describe an organization’s current and/or target cybersecurity posture in terms of the CSF Core’s outcomes. This is not merely an exercise in compliance or a bureaucratic checklist; rather, it is a strategic approach that allows organizations to understand, tailor, assess, prioritize, and communicate their cybersecurity efforts in alignment with their unique mission objectives, stakeholder expectations, threat landscape, and requirements.  

An Organizational Profile can be bifurcated into two distinct types: the Current Profile and the Target Profile:

  • The Current Profile delineates the cybersecurity outcomes that an organization is presently achieving or striving to achieve, offering a candid snapshot of its cybersecurity capabilities and the extent to which each outcome is being realized.
  • The Target Profile outlines the desired cybersecurity outcomes that an organization aims to achieve, taking into consideration anticipated changes in its cybersecurity posture due to evolving requirements, technology adoption, and threat intelligence trends. 

 A Community Profile is essentially a baseline of CSF outcomes developed to address shared interests and goals among a cohort of organizations. This could be tailored for a specific sector, subsector, technology, threat type, or other use cases. Organizations can leverage a Community Profile as a foundation for their own Target Profile, thereby fostering a collaborative approach to cybersecurity risk management.  

In tailoring the CSF Profiles to address the specific cybersecurity needs and objectives of your organization, this process is not only about identifying where you are and where you wish to be in terms of cybersecurity posture but also about charting a strategic path forward that aligns with your organizational ethos, mission, and the evolving cyber threat landscape.

NIST CSF 2.0 Tiers

The strategic utility of CSF Profiles is further augmented by their integration with CSF Tiers, which characterize the rigor of an organization’s cybersecurity risk governance and management practices. This symbiotic relationship between Profiles and Tiers enables organizations to contextualize their cybersecurity risk management efforts, providing a comprehensive framework for understanding, assessing, prioritizing, and communicating cybersecurity risks both internally and externally. 

The NIST Cybersecurity Framework (CSF) 2.0 delineates CSF Tiers with a discerning eye toward enhancing an organization’s cybersecurity risk governance and management practices. These Tiers, ranging from Partial (Tier 1) to Adaptive (Tier 4), serve as a barometer for assessing the maturity and sophistication of an organization’s approach to managing cybersecurity risks.

Tier 1 (Partial) is characterized by an ad hoc and sometimes reactive approach to cybersecurity risk management. Organizations at this tier may lack formalized processes, and their prioritization of cybersecurity activities is not directly informed by organizational risk objectives, the threat environment, or business/mission requirements. This tier reflects a nascent awareness of cybersecurity risk at the organizational level, with risk management practices implemented on an irregular basis.  

Tier 2 (Risk Informed), organizations begin to exhibit an awareness of cybersecurity risks at the organizational level, albeit without a formalized organization-wide approach to managing these risks. Risk management practices at this tier are approved by management but may not be established as an organization-wide policy. The prioritization of cybersecurity activities and protection needs is more directly informed by organizational risk objectives, the threat environment, or business/mission requirements, marking a step towards a more structured approach to cybersecurity risk management. 

Tier 3 (Repeatable) signifies a more mature stage, where an organization’s risk management practices are formally approved and expressed as policy. There is an organization-wide approach to managing cybersecurity risks, reflecting a significant advancement in the integration of cybersecurity risk management into the organizational fabric. This tier is indicative of a systematic and repeatable approach to managing cybersecurity risks, with practices that are well-communicated and understood across the organization.  

Tier 4 (Adaptive), where organizations exhibit an advanced, agile, and risk-informed approach to managing cybersecurity risks. This tier is characterized by the use of risk-informed policies, processes, and procedures to address potential cybersecurity events. Organizations at this tier actively adapt their cybersecurity practices based on lessons learned and predictive indicators, demonstrating a proactive and dynamic approach to managing cybersecurity risks. The relationship between cybersecurity risks and organizational objectives is clearly understood and considered in decision-making processes, with cybersecurity risk management practices deeply ingrained in the organizational culture. 

In the grand scheme of things, the progression through these Tiers is not merely a journey toward reducing cybersecurity risk but also a testament to an organization’s commitment to integrating cybersecurity risk management into its overarching risk management and business strategies. It’s a nuanced and strategic endeavor that requires a deep understanding of one’s current capabilities and a clear vision of where one needs to be in the face of evolving cyber threats.

NIST Releases Version 2.0 of Landmark Cybersecurity Framework

NIST’s cybersecurity framework (CSF) now explicitly aims to help all organizations — not just those in critical infrastructure, its original target audience — to manage and reduce risks.

  • NIST has updated the CSF’s core guidance and created a suite of resources to help all organizations achieve their cybersecurity goals, with added emphasis on governance as well as supply chains.
  • This update is the outcome of a multiyear process of discussions and public comments aimed at making the framework more effective.

From NIST: 

The National Institute of Standards and Technology (NIST) has updated the widely used Cybersecurity Framework (CSF), its landmark guidance document for reducing cybersecurity risk. The new 2.0 edition is designed for all audiences, industry sectors and organization types, from the smallest schools and nonprofits to the largest agencies and corporations — regardless of their degree of cybersecurity sophistication. 

In response to the numerous comments received on the draft version, NIST has expanded the CSF’s core guidance and developed related resources to help users get the most out of the framework. These resources are designed to provide different audiences with tailored pathways into the CSF and make the framework easier to put into action. 

The CSF 2.0, which supports the implementation of the National Cybersecurity Strategy, has an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector. It also has a new focus on governance, which encompasses how organizations make and carry out informed decisions on cybersecurity strategy. The CSF’s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation. 

Following a presidential Executive Order, NIST first released the CSF in 2014 to help organizations understand, reduce and communicate about cybersecurity risk. The framework’s core is now organized around six key functions: Identify, Protect, Detect, Respond and Recover, along with CSF 2.0’s newly added Govern function. When considered together, these functions provide a comprehensive view of the life cycle for managing cybersecurity risk.

The updated framework anticipates that organizations will come to the CSF with varying needs and degrees of experience implementing cybersecurity tools. New adopters can learn from other users’ successes and select their topic of interest from a new set of implementation examples and quick-start guides designed for specific types of users, such as small businesses, enterprise risk managers, and organizations seeking to secure their supply chains. 

The CSF is used widely internationally; Versions 1.1 and 1.0 have been translated into 13 languages, and NIST expects that CSF 2.0 also will be translated by volunteers around the world. Those translations will be added to NIST’s expanding portfolio of CSF resources. Over the last 11 years, NIST’s work with the International Organization for Standardization (ISO), in conjunction with the International Electrotechnical Commission (IEC), has helped to align multiple cybersecurity documents. ISO/IEC resources now allow organizations to build cybersecurity frameworks and organize controls using the CSF functions. NIST plans to continue working with ISO/IEC to continue this international alignment.

What Next? 

Embarking on the journey with the NIST Cybersecurity Framework (CSF) 2.0 requires a strategic approach that aligns with the organization’s overarching goals and the dynamic cybersecurity landscape. The initial steps an organization should take involve a comprehensive assessment of its current cybersecurity posture, followed by the development of a tailored strategy that leverages the CSF’s core components—Core, Profiles, and Tiers—to enhance its cybersecurity risk management practices:

  1. First, An organization must conduct a thorough assessment of its current cybersecurity posture against the CSF Core. This involves identifying the cybersecurity activities and outcomes that are currently being achieved across the five Functions: Identify, Protect, Detect, Respond, and Recover. This step is crucial for understanding the organization’s strengths and areas for improvement in managing cybersecurity risks.
  2. Following this assessment, the organization should develop a Current Profile, which provides a detailed snapshot of its existing cybersecurity practices and outcomes. This profile serves as a baseline for measuring progress and identifying gaps in the organization’s cybersecurity capabilities.
  3. The next step involves the creation of a Target Profile, which outlines the desired cybersecurity outcomes the organization aims to achieve. This profile should be informed by the organization’s mission objectives, stakeholder expectations, threat landscape, and regulatory requirements. It is essential for setting strategic priorities and guiding the organization’s cybersecurity efforts toward achieving its goals.
  4. To bridge the gap between the Current and Target Profiles, the organization must develop and implement an action plan. This plan should prioritize actions based on their potential impact on the organization’s cybersecurity posture and the resources available. It may involve enhancing existing cybersecurity measures, adopting new technologies, or revising policies and procedures to address identified gaps.
  5. Throughout this process, the organization should leverage the CSF Tiers to assess and enhance the maturity of its cybersecurity risk management practices. Progressing through the Tiers—from Partial to Adaptive—indicates a more sophisticated, agile, and integrated approach to managing cybersecurity risks. This progression should be a strategic objective for the organization, aiming to achieve a level of cybersecurity risk management that is commensurate with its risk appetite and the evolving cyber threat landscape.
  6. Finally, an organization should actively engage with the broader community by contributing to and leveraging Community Profiles. These profiles can provide valuable insights and benchmarks for collaboratively managing cybersecurity risks, fostering a shared understanding and approach to cybersecurity within the industry or sector.

The NIST CSF 2.0 is a continuous, iterative process that requires commitment, strategic planning, and collaboration. It is not merely about compliance but about enhancing the organization’s resilience against cyber threats and aligning its cybersecurity practices with its strategic objectives. As you consider integrating the NIST CSF Tiers and Profiles into your organization’s cybersecurity risk governance and management practices, give some thought to how this framework can be tailored to your unique context and objectives, fostering a culture of continuous improvement and strategic risk management.

NOTE:  This OODA Loop Original Analysis was partially generated with the cognitive augmentation of and in collaboration with ALTzero Project – MattGPT.

Additional OODA Loop Resources

Cyber Risks

Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and their directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk

Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has made regional issues affect global cyberspace. Now, every significant event has cyber implications, making it imperative for leaders to recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat

Ransomware’s Rapid Evolution: Ransomware technology and its associated criminal business models have seen significant advancements. This has culminated in a heightened threat level, resembling a pandemic in its reach and impact. Yet, there are strategies available for threat mitigation. See: Ransomware, and update.

Challenges in Cyber “Net Assessment”: While leaders have long tried to gauge both cyber risk and security, actionable metrics remain elusive. Current metrics mainly determine if a system can be compromised, without guaranteeing its invulnerability. It’s imperative not just to develop action plans against risks but to contextualize the state of cybersecurity concerning cyber threats. Despite its importance, achieving a reliable net assessment is increasingly challenging due to the pervasive nature of modern technology. See: Cyber Threat

Recommendations for Action

Decision Intelligence for Optimal Choices: The simultaneous occurrence of numerous disruptions complicates situational awareness and can inhibit effective decision-making. Every enterprise should evaluate their methods of data collection, assessment, and decision-making processes. For more insights: Decision Intelligence.

Proactive Mitigation of Cyber Threats: The relentless nature of cyber adversaries, whether they are criminals or nation-states, necessitates proactive measures. It’s crucial to remember that cybersecurity isn’t solely the responsibility of the IT department or the CISO – it’s a collective effort that involves the entire leadership. Relying solely on governmental actions isn’t advised given its inconsistent approach towards aiding industries in risk reduction. See: Cyber Defenses

The Necessity of Continuous Vigilance in Cybersecurity: The consistent warnings from the FBI and CISA concerning cybersecurity signal potential large-scale threats. Cybersecurity demands 24/7 attention, even on holidays. Ensuring team endurance and preventing burnout by allocating rest periods are imperative. See: Continuous Vigilance

Embracing Corporate Intelligence and Scenario Planning in an Uncertain Age: Apart from traditional competitive challenges, businesses also confront external threats, many of which are unpredictable. This environment amplifies the significance of Scenario Planning. It enables leaders to envision varied futures, thereby identifying potential risks and opportunities. All organizations, regardless of their size, should allocate time to refine their understanding of the current risk landscape and adapt their strategies. See: Scenario Planning

Daniel Pereira

About the Author

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.