NIST recently released an update to its Cybersecurity Framework (CSF), version 2.0. As advocates of the CSF, we recognize it as a flexible starting point for organizations across various industries to manage risk. While we often customize some categories or add additional focuses, CSF 2.0 addresses many of these needs with its updates.

A significant addition to CSF 2.0 is the new Governance category. This category consolidates several sub-categories that were previously scattered, providing a more cohesive approach. Governance now includes essential elements like mission statements, stakeholder expectations, and clearly defined risk tolerance. Many organizations struggle with inconsistent cybersecurity decisions due to unclear risk tolerance. CSF 2.0 addresses this with specific guidance, such as GV.RM-02, which mandates the establishment, communication, and maintenance of risk appetite and tolerance statements. This helps ensure that risk remains at acceptable levels and resources are used effectively.

Another critical area is third-party and supply chain risks, highlighted in GV.RM-05. With the rise of SaaS, managing these risks has become increasingly important. Additionally, GV.RM-06 introduces “a standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks”. By using a consistent evaluation, risks are properly measured and therefore properly weighted for resolution or acceptance.

CSF 2.0 also includes guides and templates to help organizations get started, along with clearer language and numerous examples. These improvements make the framework more accessible and practical, addressing areas that have evolved since the first version’s release a decade ago. Implementing version 2.0 will simplify the customizations previously required to help organizations concentrate on their key areas, while also offering improved and more quantifiable oversight of cybersecurity programs.

Looking for an assessment based on NIST CSF 2.0? Contact us, we can help.