Understanding and Implementing the NIST CSF 2.0 Cybersecurity Framework

NIST CSF

2.0

Understanding and Implementing the NIST CSF 2.0 Cybersecurity Framework

Plus: A Closer Look at the “Govern” Function

Arctic Wolf + Revelstoke

The National Institute of Standards and Technology’s cybersecurity framework (NIST CSF) is a risk-based compilation of guidelines that can help organizations identify, implement, and improve cybersecurity practices, and creates a common language for internal and external communication of cybersecurity issues. The NIST CSF was updated to version 2.0 in February 2024, the first major update to the framework in ten years.

Here’s what you need to know.

A Brief History of the NIST Cybersecurity Framework

NIST's Journey to 2.0

  • February, 2013

    White House Executive Order

    In February 2013, the White House issued Executive Order 13636, which tasked the National Institute of Standards and Technology (NIST) with the creation of a cybersecurity framework (CSF) that would help better protect the nation’s critical infrastructure.

  • February, 2014

    NIST CSF 1.0 Published

    NIST CSF 1.0 was published on February 12, 2014, and was quickly adopted by both public and private organizations due to its ability to provide key standards, guidelines, and best practices to help organizations manage and mitigate their cyber risk.

  • 2014-2024

    Attack Methods Intensify

    However, much has changed in the intervening years. Threat actors have continued to innovate and expand attacks, while cloud adoption and hybrid work models have greatly expanded organizations’ attack surfaces. NIST CSF 1.0 has served organizations well, but the modern threat landscape required an update to NIST’s cybersecurity framework, which was published in February 2024.

  • February, 2024

    NIST CSF 2.0 Published

    The updated framework aims to help all organizations – not just those in critical infrastructure – manage and reduce risks.

Why NIST-CSF is Updating

NIST CSF 2.0 is more comprehensive, offering broader guidelines that expand beyond critical infrastructure. This update reflects a continually changing threat landscape, where robust controls and cyber protection is needed for all organizations, regardless of size or industry.

According to NIST, “The CSF was developed for critical infrastructure like the banking and energy industries, but it has proved useful everywhere from schools and small businesses to local and foreign governments. We want to make sure that it is a tool that’s useful to all sectors, not just those designated as critical.”

By broadening this framework, hopefully all organizations, no matter their security maturity, can take concrete steps to improve their security posture and reduce their overall cyber risk. The new version of this framework includes tiers, allowing organizations of various maturity levels to enact posture-hardening measures. NIST CSF 2.0 also includes a new  “govern” function, intended to help businesses operationalize their security measures and improve their risk management and organizational engagement.

Exclusive NIST Resources Now Available

Lock background

For IT and Security Leaders

NIST CSF 2.0: A Blueprint for Operationalizing Risk Management Within an Organization’s Security Program
Download your copy  
Technology background

For State and Local Governments

A Catalyst for Broader Cyber Resilience: An Updated NIST Framework is ready to help agencies mitigate risks and plan strategically
Download your copy  
Cyber JumpStart icon

Arctic Wolf® Cyber JumpStart

Start your security journey today with this complimentary suite of tools designed to help you manage your cyber risk, map your security posture against industry-standard frameworks like NIST CSF, and create an incident response plan, while also unlocking insights into overcoming cyber insurance qualifying requirements.
Learn More  

What’s New in NIST CSF 2.0?

The latest addition of the NIST cybersecurity framework adds a new core function, “Govern,” bringing the total number of core functions to six:

Recover

Support the ability to contain the impact of a potential cybersecurity incident

Respond

Enable timely discovery of cybersecurity events

Detect

Define the appropriate activities to identify the occurrence of a cybersecurity event

NIST 2.0 Cybersecurity Framework

Identify

Develop an organizational understanding to managing cybersecurity risk

Protect

Support the ability to limit or contain the impact of a potential cybersecurity event

Govern

Establish and monitor risk management strategy, expectations, and policy

The addition of the “Govern” functions supports IT and security leaders’ ability to create risk-driven security programs, increase organizational engagement and risk ownership, while creating an opportunity for increasing overall program support and funding.

While there are six core functions, they are not a checklist to tackle one at a time. IT and security teams need to address all the functions concurrently, as they work in tandem to support a robust risk management program and enhance an organization’s security posture. For example, “Govern,” “Identify,” and “Protect” are part of proactive cybersecurity protection pre-incident, and “Govern,” “Detect,” and “Respond” are essential controls to help discover, manage, and remediate incidents.

A Closer Look at the Govern Function

The “Govern” function includes several important sub-categories to further help organizations with their risk management and organizational engagement. These include:

Organizational Context

NIST CSF 2.0 introduces “Organizational Context” as a category under the “Govern” function, which they define as “The circumstances — mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements — surrounding the organization’s cybersecurity.” While previous updates to the CSF focused on asset identification, this update places new emphasis on contextualization, making these efforts more effective.

Risk Management Strategy

NIST CSF 2.0 places risk management strategy within the “Govern” function to highlight the vital role it plays in an organization’s cybersecurity governance. A proper risk management strategy, as defined by NIST, is one where “The organization’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions.” 

Roles, Responsibilities, and Authorities

“Roles, Responsibilities, and Authorities” are placed as a separate category within the “Govern” function in NIST CSF 2.0, to ensure that organization’s “Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated.”

Policy

NIST CSF 2.0 places the establishment, communication, and enforcement of cybersecurity policy as an essential aspect of the “Govern” function. Particular emphasis is placed not just on the creation of cybersecurity policy, but on its review and revision to “reflect changes in requirements, threats, technology, and organizational mission.”

Oversight

NIST CSF 2.0 also places more of a focus on the continuous review and revision of an organization’s risk management activities through the “Oversight” category in the “Govern” function, in an effort to inform and adjust strategy and direction and ensure adequate coverage of requirements and risks.

Cybersecurity Supply Chain Risk Management

Finally, NIST CSF 2.0 adds “Cybersecurity Supply Chain Risk Management” as a category under the “Govern” function. With cyber attacks against supply chains and third-party vendors rising — as they can often provide a means of initial access into a target network — this category aims to ensure that “cyber supply chain risk management process are identified, managed, monitored, and improved by organizational stakeholders.

A Closer Look at the Govern Function

The “Govern” function includes several important sub-categories to further help organizations with their risk management and organizational engagement. These include:
Yes

Organizational Context

NIST CSF 2.0 introduces “Organizational Context” as a category under the “Govern” function, which they define as “The circumstances — mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements — surrounding the organization’s cybersecurity.” While previous updates to the CSF focused on asset identification, this update places new emphasis on contextualization, making these efforts more effective.
Yes

Risk Management Strategy

NIST CSF 2.0 places risk management strategy within the “Govern” function to highlight the vital role it plays in an organization’s cybersecurity governance. A proper risk management strategy, as defined by NIST, is one where “The organization’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions.” 
Yes

Roles, Responsibilities, and Authorities

“Roles, Responsibilities, and Authorities” are placed as a separate category within the “Govern” function in NIST CSF 2.0, to ensure that organization’s “Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated.”
Yes

Policy

NIST CSF 2.0 places the establishment, communication, and enforcement of cybersecurity policy as an essential aspect of the “Govern” function. Particular emphasis is placed not just on the creation of cybersecurity policy, but on its review and revision to “reflect changes in requirements, threats, technology, and organizational mission.”
Yes

Oversight

NIST CSF 2.0 also places more of a focus on the continuous review and revision of an organization’s risk management activities through the “Oversight” category in the “Govern” function, in an effort to inform and adjust strategy and direction and ensure adequate coverage of requirements and risks.
Yes

Cybersecurity Supply Chain Risk Management

Finally, NIST CSF 2.0 adds “Cybersecurity Supply Chain Risk Management” as a category under the “Govern” function. With cyber attacks against supply chains and third-party vendors rising — as they can often provide a means of initial access into a target network — this category aims to ensure that “cyber supply chain risk management process are identified, managed, monitored, and improved by organizational stakeholders.

More to Explore: Profiles and Tiers

Organizational Profiles

Finally, NIST CSF 2.0 adds “Cybersecurity Supply Chain Risk Management” as a category under the “Govern” function. With cyber attacks against supply chains and third-party vendors rising — as they can often provide a means of initial access into a target network — this category aims to ensure that “cyber supply chain risk management process are identified, managed, monitored, and improved by organizational stakeholders.
Organizational Profiles help security leaders understand, customize, evaluate and prioritize their cybersecurity goals to better align with their larger organizational mission, the expectations of the C-suite, the size of their environment, and other unique requirements and restrictions particular to their organization or industry. They allow security leaders to enable strategic actions to help achieve security goals and track security posture progress over time. They can also provide a meaningful means of communicating with the C-suite and other key stakeholders to ensure everyone is aware of the relevant cybersecurity info they need to know.
Learn More About NIST CSF 2.0 Organizational Profiles

Tiers

Cybersecurity is not a one-size-fits-all field. Each organization should be working to strike a balance between robust protection and flexibility that allows them to do business the way they need. This means each organization must decide on an acceptable level of risk for them. NIST CSF 2.0 Tiers can help with this.
Tiers can be layered onto your Organizational Profile to determine the strength of your cybersecurity risk governance and risk management practices. Tiers provide essential context into your organization’s stance on acceptable risk, and can help you consistently evaluate existing processes and practices, helping identify areas for improvement and track your security posture’s progress over time.
Learn More About NIST CSF 2.0 Tiers

Additional Resources For

Cybersecurity Leaders

Web browser icon

NIST CSF 2.0: Understanding and Implementing the Govern Function

An updated NIST framework is ready to help government agencies mitigate risks and plan strategically.
Read More
Technology background

NIST CSF 2.0: A Blueprint for Operationalizing Risk Management Within Your Security Program

Discover how to best to utilize the NIST 2.0 framework to improve your security posture.
Read More
VISIT THE RESOURCE LIBRARY

Contact Arctic Wolf

Simplify Implementation of the NIST CSF 2.0 with Arctic Wolf

Moving to a risk-driven security strategy can seem overwhelming, but it doesn’t need to be. Arctic Wolf’s security operations solutions provide coverage across all six of the NIST core functions and provide expert, 24×7 assistance with a continuous risk-based management program
Schedule a demo today!