Our Views:
The NIST Cybersecurity Framework (CSF) 2.0
The National Institute of Standards and Technology (NIST) has released an updated version of its cybersecurity framework (CSF). We think this version offers significant improvements over the previous versions by widening its scope, supplying more support tools for implementation, and focusing more heavily on cyber governance activities which are critical for cybersecurity success.
Following a presidential Executive Order, NIST first released the CSF in 2014 to help organisations understand, reduce and communicate about cybersecurity risk.
According to NIST, “The new edition is designed for all audiences, industry sectors and organisation types, from the smallest schools and nonprofits to the largest agencies and corporations — regardless of their degree of cybersecurity sophistication. In response to the numerous comments received on the draft version, NIST has expanded the CSF’s core guidance and developed related resources to help users get the most out of the framework. These resources are designed to provide different audiences with tailored pathways into the CSF and make the framework easier to put into action.”
We consider that the NIST CSF is a useful governance tool in assisting with managing cyber risk from a high level, however it should not be considered the only one. We also recommend adopting other governance tools to work alongside NIST CSF, primarily the Centre for Internet Security (CIS) Controls. Fortunately, the two can be largely mapped to each other to avoid double handling.
An outline of the key changes to the framework and links to the additional support tools is given below.
Expanded Scope
Recognising that cyber threats now impact all industries and all organisations regardless of size, the NIST CSF, originally titled “Framework for Improving Critical Infrastructure” has been adapted and made useful for all sectors. The framework now explicitly aims to assist all organisations in their cybersecurity goals, including those with limited resources or low baseline maturity. This is a positive change and makes the NIST CSF more accessible and relevant to New Zealand organisations.
New GOVERN function
In addition to the existing core framework functions of IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER, a function that focuses on cyber governance activity is now included which firmly embeds cybersecurity improvements into the wider business context. We welcome the introduction of the GOVERN Function in this version of the framework as we see cyber governance as being an area requiring greater attention from New Zealand organisations to enable successful cyber programmes.
The NIST CSF governance function reinforces how cybersecurity is a major source of business risk that must be considered by senior leadership as part of the overall business risk process. It achieves this by providing steps to prioritise and implement the other five core function activities in the context of an organisations overall mission and stakeholder expectations. The Govern function also incorporates steps to manage an increasingly concerning area of cyber risk: cybersecurity supply chain risk management. The Govern function ensures the organisation’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored via six categories as outlined below:
- Organisational Context: The circumstances — mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements — surrounding the organisation’s cybersecurity risk management decisions are understood.
- Risk Management Strategy: The organisation’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions.
- Roles, Responsibilities and Authorities: Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated.
- Policy: Organisational cybersecurity policy is established, communicated, and enforced.
- Oversight: Results of organisation-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy.
- Cybersecurity Supply Chain Risk Management: Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organisational stakeholders.
The NIST CSF Tiers now also include a sliding category to characterise the rigor of an organisation’s cybersecurity risk governance practices (GOVERN) as well as the cybersecurity risk management practices (IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER). The categories range from Tier 1, which indicates partial risk governance where the application and prioritisation of cybersecurity risk is ad hoc, through to Tier 4, which indicates adaptive risk governance using an organisational-wide approach.
Additional Support Resources
The NIST CSF support resources have also been expanded to include new quick start guides, informative references, implementation examples, and a repository of organisational profiles that will be updated continuously by NIST. These additional resources are intended to offer different organisations and industries tailored pathways to implementing the framework and lifting their cybersecurity maturity. The resources can be customised and used in combination to suit various organisational contexts and capabilities. Additional frameworks and guidance documents are also being evolved that sit alongside the CSF and attempt to address emerging technology issues relevant to 2024, such as the AI Risk Management Framework and the Cybersecurity Supply Chain Risk Management Practices for Systems and Organisations.
An example of the available implementation guidance for a subset of one category in the new govern function is demonstrated below:
| Function | Category | Subcategory | Implementation Example |
| GOVERN (GV) | Organisational Context (GV.OC) | GV.OC-01: The organisational mission is understood and informs cybersecurity risk management | Share the organisation’s mission (e.g., through vision and mission statements, marketing, and service strategies) to provide a basis for identifying risks that may impede that mission |
Managing the ever-expanding cyber risk landscape must be a continuous process. The updated NIST CSF now offers an even more comprehensive view of cyber risk management for organisations, and we recommend reviewing the new GOVERN function and support resources to assess applicability and usability for your business.
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 