The National Institute of Standards and Technology (NIST) developed the first NIST Cybersecurity Framework (NIST CSF) in 2014 to help critical infrastructure providers (such as dams and power utilities) improve their cyber defenses in accordance with a voluntary set of standards.
But a lot has changed in the cybersecurity threat landscape since 2014. So in March 2024, NIST published its Cybersecurity Framework 2.0, which recommended controls and cybersecurity tips for organizations in any industry.
The revised NIST CSF 2.0 expands the scope to address cyber risks for all types of organizations and supply chains. The update responded to the evolving cyber threat landscape, which increasingly targets businesses of all sizes across various sectors.
This is a major development, one that reflects the reality that cyber threats are now ubiquitous and threaten every part of the economy. And all organizations are wise to follow NIST’s expanded set of requirements. Indeed, the NIST CSF 2.0 framework validates a core idea: everyone needs to take cybersecurity seriously.
While compliance with NIST CSF 2.0 is mandatory for some sectors, it is voluntary for others; And some organizations may balk at putting in the effort to implement voluntary policy. But given the insecure state of digital business, it’s worth the effort.
The NIST CSF 2.0 framework provides a flexible, risk-based approach designed to complement an organization's existing risk management processes.
By implementing the NIST CSF 2.0, businesses can identify areas where their cybersecurity processes need improvement. The framework guides organizations through assessing current practices, establishing target goals, creating a plan for improvement, and measuring progress toward their cybersecurity objectives.
The NIST CSF 2.0 also facilitates the implementation of cybersecurity best practices tailored to an organization's specific needs, vulnerabilities, and resources. It harmonizes standards and guidelines from various sources, making it easier for organizations to leverage best practices from different cybersecurity standards and regulations.
Adhering to the NIST CSF 2.0 can provide several benefits for businesses:
Improved risk management: The framework helps organizations better understand, manage, and reduce cybersecurity risks.
Regulatory compliance: Implementing NIST CSF 2.0 can help organizations comply with various cybersecurity regulations and industry standards.
Competitive advantage: A robust cybersecurity posture aligned with NIST CSF 2.0 can increase customer trust and give businesses a competitive edge.
Cost savings: Preventing and mitigating cyber incidents through improved cybersecurity practices can save organizations significant costs.
The NIST Cybersecurity Framework (CSF) 2.0 introduces several key updates to provide broader, more inclusive guidance for industry, government agencies, and other organizations to effectively manage cybersecurity risks. One of the principal enhancements in CSF 2.0 is its refined taxonomy of high-level cybersecurity outcomes that is designed to be universally applicable. This allows for a more flexible approach that organizations of any size, sector, or maturity level can utilize to better understand, assess, prioritize, and communicate their cybersecurity efforts.
Further developments in NIST CSF 2.0 include an expanded Core to address emerging technologies and threats, refined Implementation Tiers that offer nuanced guidance on progressing an organization’s cybersecurity maturity, and enhanced Profiles to aid in customizing the Framework’s application to specific organizational needs or objectives. Additionally, CSF 2.0 responds to extensive feedback from stakeholders to ensure the Framework remains relevant and helpful in today’s rapidly evolving cyber landscape.
Moreover, NIST has introduced supplementary resources alongside CSF 2.0, such as tools and guides, to facilitate its adoption and application across diverse operational environments. These resources are indicative of an overarching effort to enhance the accessibility and usability of the Framework for a wide audience, emphasizing inclusivity and adaptability in cybersecurity practices.
In summary, CSF 2.0 builds upon the solid foundation of its predecessor by incorporating broader considerations for digital security, presenting a structured yet flexible approach for managing cybersecurity risks that is adaptive to the needs of different organizations. By focusing on universal applicability and providing practical resources, NIST seeks to empower organizations to elevate their cybersecurity postures effectively in the face of a dynamic threat environment.
The European Union's NIS 2 (Network and Information Security 2) directive aims to enhance cybersecurity resilience across the EU member states. While NIS 2 is a regulatory directive, it shares some similarities with the NIST CSF 2.0 in terms of promoting a risk-based approach to cybersecurity and encouraging the adoption of best practices.
However, the NIST CSF 2.0 is a voluntary framework, whereas NIS 2 imposes specific cybersecurity requirements and obligations on organizations operating within the EU. Organizations may need to comply with both the NIST CSF 2.0 and NIS 2 if they operate in the EU and have operations or customers in the United States.
The NIST Cybersecurity Framework 2.0 consists of three primary components: Framework Core, Implementation Tiers, and Profiles. Each plays a pivotal role in enabling organizations to develop robust cybersecurity postures tailored to their unique challenges and needs.
The Framework Core is essentially the backbone of the NIST CSF, comprising a collection of cybersecurity activities, outcomes, and informative references. Designed to be universally applicable across various sectors, the Core provides a standardized language and methodology for addressing and managing cybersecurity risks. It's organized into five functional areas:
Identify: Develop an organizational understanding of cybersecurity risks to systems, people, assets, data, and capabilities.
Protect: Implement appropriate safeguards to ensure the delivery of critical services and protect against cybersecurity threats.
Detect: Implement appropriate activities to identify the occurrence of a cybersecurity event.
Respond: Implement appropriate activities to take action regarding a detected cybersecurity incident.
Recover: Implement appropriate activities to maintain plans for resilience and restore any capabilities or services impaired due to a cybersecurity incident.
These areas cover the full spectrum of an organization's need to comprehend its digital environment, protect its infrastructure, detect anomalies, respond to incidents, and recover from them. By offering detailed guidance across these functions, the Framework Core enables organizations to establish a comprehensive and adaptable cybersecurity strategy.
The Implementation Tiers help organizations gauge their current cybersecurity practices and guide them towards a desired future state. Ranging from Tier 1 (Partial) to Tier 4 (Adaptive), these tiers reflect a progression in the organization's risk management practices—from rudimentary and reactive approaches to advanced and proactive ones.
Tier 1 indicates an organization's cybersecurity practices are informal and not fully integrated into its risk management regimen. Conversely, Tier 4 signifies that an organization's cybersecurity practices are highly advanced, with real-time, continuous improvement processes in place to address cybersecurity risks. These tiers promote informed decisionmaking regarding the allocation of resources, prioritization of cybersecurity actions, and enhancement of risk management practices.
Profiles are essentially customization tools within the NIST CSF, allowing organizations to align their cybersecurity practices with their specific requirements, risk tolerances, and objectives.
An organization starts by establishing a "Current" Profile, which outlines its existing cybersecurity posture, and a "Target" Profile, which represents the desired state. By comparing these profiles, gaps can be identified, and a prioritized action plan can be developed. Profiles enable organizations to apply the broad guidance provided in the Framework Core directly to their unique circumstances, facilitating a strategic approach to improving cybersecurity resilience.
In sum, the three components of the NIST Cybersecurity Framework 2.0 work in concert to provide a scalable and flexible approach to cybersecurity. The Framework Core offers a comprehensive set of activities and outcomes to be achieved, the Implementation Tiers help organizations assess and plan the maturity of their cybersecurity practices, and the Profiles enable personalized application of the framework to meet specific organizational needs, thereby facilitating a successful implementation of the NIST CSF 2.0.
To establish an effective cybersecurity risk management program using the NIST Cybersecurity Framework, organizations should follow these steps:
Define priorities: Align cybersecurity objectives with the organization's business goals and risk management strategy.
Conduct risk assessments: Identify and prioritize cybersecurity risks to the organization's assets, data, and operations.
Create a current profile: Assess the organization's current cybersecurity practices against the NIST Framework Core.
Establish a target profile: Define the desired cybersecurity outcomes and practices based on the organization's risk tolerance and priorities.
Implement action plans: Develop and execute plans to address gaps between the current and target profiles, leveraging the NIST Framework guidance.
Continuous improvement: Regularly review and update the organization's cybersecurity practices, risk assessments, and profiles to adapt to evolving threats and business needs.
Rubrik can help put these new cybersecurity recommendations into action–particularly in the areas of data protection and cyber resiliency. Rubrik has particular expertise in this matter and Rubrik experts reviewed early drafts of the new framework and provided feedback that was incorporated into the final product.
Rubrik can help organizations determine the scope of an attack and its impact on the business by providing a clear view into what data was impacted and where it resides. With rich reporting, Rubrik enables IT and security managers to collaborate with senior business leaders on reporting to customers, the public, the government, law enforcement, and other regulatory bodies.
Rubrik Sensitive Data Discovery and Monitoring scans backup snapshots and identifies sensitive data in files and applications. Further, Rubrik’s User Access Analysis tool can help organizations understand who has access to sensitive data to enlist support from data owners and promote data stewardship.
Rubrik offers immutable backups, which cannot be modified by a ransomware attacker, or any other unauthorized party. The Rubrik Cloud Vault features access controls and a logical “air gap” which protects data at rest. Additionally, the Rubrik Secure Data Layer, which is part of Rubrik Zero Trust Data Security architecture, supports the control with data encryption at rest, checksum creation, and validation throughout the entire life cycle of the data. The Secure Data Layer also keeps data continuously available through a self-healing design with fault tolerance.
Rubrik offers core enterprise data protection solutions that can address even intense backup and recovery requirements. With Orchestrated Application Recovery, Rubrik Security Cloud allows users to write and test recovery plans in advance of an attack. This allows IT to group several related virtual machines into a single recovery object so the recovery plan can bring business operations back online in priority order. That way, the recovery team will know how much work (and time) it will take to restore core business functions.
By implementing the NIST Cybersecurity Framework 2.0, organizations can enhance their cybersecurity posture, improve risk management practices, and better protect their critical assets and data from evolving cyber threats.