Key Changes Made to the NIST Cybersecurity Framework v1.1-v2.0

In 2014, the National Institute of Standards and Technology (NIST) created a Cybersecurity Framework (CSF) that guides organizations in their journey towards developing secure computer systems. It sets a flexible foundation that all businesses can follow and sculpt to their needs. For this reason, it is extremely successful and is employed by a large number of organizations.

Click one of the following versions to scroll to that version:

• v2.0
• v1.1

NIST Cybersecurity Framework v2.0

In 2024, the The National Institute of Standards and Technology (NIST) released a significant version update of its Cybersecurity Framework (CSF) from v1.1 to v2.0. This is in response to new challenges in cybersecurity that are constantly changing.

Here are some of the important changes introduced in this new version 2.0:

1. Addition of Governance as a Function

   NIST CSF v2.0 introduces "Govern" as a new core function, placing it before the original five functions of "Identify", "Protect", "Detect", "Respond", and "Recover". This function emphasizes the importance of cybersecurity governance at all levels of an organization. It highlights the need for strong leadership, strategic planning, and aligning cybersecurity policies with business objectives. It focuses more heavily on accountability and oversight.

2. Expansion of its Application

   CSF v2.0 now includes different business sectors, not just those in critical infrastructure. It is designed to be more universally applicable to organizations of all sizes and across industries. This change aims to address the unique challenges that organizations of different sizes and industries face.

3. Higher Focus on Supply Chain Risk Management (SCRM)

   The importance of supply chain security has been further emphasized in v2.0, with expanded guidelines for managing supply chain risks. Due to some high-profile supply chain attacks, this update emphasizes the need for better risk management to include third-party vendors and partners.

4. Integration of Updated Standards and Guidelines

   The new framework version integrates updated standards, including more recent versions of ISO/IEC standards and other relevant frameworks. This helps keep the framework current with the latest global cybersecurity practices, and helps provide organizations with the most relevant and effective cybersecurity tools.

5. Greater Emphasis on Measurement and Assessment

   CSF v2.0 promotes a stronger emphasis on the measurement of cybersecurity performance and the assessment of framework implementation. This encourages organizations to adopt a more data-driven approach to cybersecurity.

6. Streamlined Language and Structure

   The language and structure of the framework have been improved for clarity and usability. This includes rewording certain aspects and reorganizing sections to make the framework more accessible. These should help make the framework easier to understand and implement, particularly for organizations that may not have extensive cybersecurity expertise.

NIST Cybersecurity Framework v1.1

This Framework is divided into five parts including identifying capabilities and vulnerabilities, protecting and securing vital infrastructure, detecting security threats as soon as possible, responding to breaches properly and recovering quickly and efficiently with as little downtime as possible.

Five years later, in April of 2019, NIST released the updated Cybersecurity Framework Version 1.1 which aims to identify and improve some key areas in it. The Roadmap for CSF Version 1.1 states that in an effort to make the most of the Framework, NIST collaborated with both public and private entities to "facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks."

Accordingly, the research that went into the new version includes but is not limited to a Request for Information (RFI), an analysis of the RFI's results, workshops and conferences discussing the Framework, a draft proposal of Version 1.1, along with a Request for Comment (RFC). NIST describes the CSF as a "living document and will continue to be updated and improved with the input and feedback from industry, government, and academia."

Some of the changes include:

1. Authentication and Supply Chain Risk Management have been added to the Framework

   The research that emerged from ongoing initiatives is now embodied in version 1.1 of the Framework. This includes topics such as Authentication, as well as Supply Chain Risk Management. Similarly, topics listed in the aforementioned Roadmap are likely to be evolved and incorporated into future versions of the Framework. They include the lifecycle of cyber attacks, IoT and cybersecurity in relation to small businesses.

2. The Framework is now adopted and leveraged by federal agencies

   Significantly, some of the changes made to the Framework are legal in nature. A number of federal requirements are now related to how federal agencies adopt cybersecurity and the Framework. This is just one of many examples of how NIST and the Framework are leveraged by the federal government.

3. The CSF is now adopted internationally

   Additionally, because the Framework adopts and references many internationally accepted standards and practices, organizations within and outside the US can now leverage the Framework globally. One of the struggles commonly faced by international enterprises is the lack of a common cybersecurity taxonomy and standards. Different countries are trying to create their own, but the Framework makes global collaboration possible.

4. The Framework is becoming more accessible through translation

   Moreover, NIST has played an active role in government-to-government collaborations that promote and support international use of the Framework. As a result, the CSF has been translated into at least four languages and is in the process of being translated into many others. Additionally, countries like Uruguay are basing their own frameworks on the CSF.

5. The Framework provides guidance to small businesses

   The importance of small businesses to a country's economy is undeniable. Consequently, vulnerabilities that affect even a small number of them can lead to the downfall of a large part of the private sector. NIST recognizes this and is currently working with the federal government to raise awareness on cybersecurity and the Framework through webinars and other techniques. It has recently launched the Small Business Cybersecurity Corner, a site that offers small businesses clear, consistent and easy-to-implement tips to better protect themselves from cyber crime. NIST also recognizes that accessibility and awareness are some of the greatest barriers to cybersecurity. Accordingly, it strives to provide Framework users with valuable information, ranging from success stories, FAQs, events, webinars and other additional resources via its online learning catalog.