By Need

By Industry

By Function

Cybersecurity & Risk Management

Enhancing Cybersecurity: The Executive’s Guide to the NIST Cybersecurity Framework 2.0

On February 26, 2024, the U.S. National Institute of Standards and Technology (NIST) released version 2.0 of their Cybersecurity Framework or “CSF.” The NIST CSF has been pivotal in the context of medium-sized organizations navigating our increasingly complex cybersecurity landscape. The most recent State of Cybersecurity report from the Ponemon Institute revealed that 66% of small-to-midsized businesses have encountered a cyberattack within the last year. For those mid-sized enterprises that are too large to be called “small” yet often struggle to find the budget and internal IT security resources available to large enterprises, the CSF offers a robust cyber defense mechanism for safeguarding any organization.

Understanding NIST

As a government agency within the U.S. Department of Commerce with over a century of history, NIST has been instrumental in the advancement of technology and cybersecurity standards for decades. Its contribution to cybersecurity, through the development of frameworks and guidelines since the early 2000s, helps organizations of all sizes to protect their information and infrastructure from digital threats.

The Evolution of the NIST Cybersecurity Framework

Originally released in 2014 with version 1.0, the CSF provided organizations with a comprehensive structure for assessing and improving their cybersecurity posture from the cloud down to the edge. With the release of version 1.1 in 2018, the NIST CSF became one of the de facto cybersecurity risk frameworks here in the US and beyond. Designed to be adaptable to sectors and organizations of all sizes and types, security professionals not only use the framework as a method to build a more robust security practice, but also to provide a common language for understanding, managing, and expressing cybersecurity risk for everyone from the C-suite down to the frontline IT security managers.

The transition from version 1.1 to 2.0 signifies a leap forward for the CSF, as NIST incorporated real-world feedback and adapted the framework to the changing cyber threat landscape. For both the CISO and the IT professionals dealing with cybersecurity for today’s mobile workforce, the release of version 2.0 delivers updated guidelines that reflect the latest in cybersecurity best practices.

What is the NIST Cybersecurity Framework v2.0?

The NIST Cybersecurity Framework v2.0 provides guidance for managing risks in all industry verticals of any size, including government and academia. It identifies an organization’s current baseline, deficiencies, and priorities to improve their security posture. The framework is not prescriptive but rather provides guidance for assisting its users in learning about and selecting specific outcomes for reducing cybersecurity risks and efficiently bolster cyber defenses.

CSF 2.0 supersedes 1.1 in the following ways:

  • Increases the number of functions from 5 in version 1.1 to 6 in version 2.0 with the addition of the “Governance” function
  • Reduces the number of categories from 23 to 22 in version 2.0
  • Reduces the number of sub-categories (or controls) from 108 to 106 in version 2.0

The new functions are as follows:

  1. Govern: Determines if the organization’s cybersecurity risk management strategy, expectations, and policies are properly established, communicated, and monitored. This includes codifying the entity’s specific cybersecurity risk profile, risk management strategies, and supply-chain risks.
  2. Identify: Involves developing a thorough mapping of an organization’s business processes, systems, assets, threats, and vulnerabilities to their respective assets and data along with how data securely flows between each.
  3. Protect: Protection strategies are designed to safeguard infrastructure and sensitive information from cyber threats. This includes investing in the right tools and technologies to ensure your operations can withstand an attack and data is protected. A good protection strategy secures both physical and digital assets along with implementing training programs that empower employees to recognize and prevent cybersecurity incidents.
  4. Detect: The capability to quickly identify cybersecurity events and provide timely analysis is critical. For most businesses, focusing on detection means ensuring systems are in place to promptly spot anomalies that could indicate a cybersecurity threat, thus minimizing potential damage.
  5. Respond: In the event of a cybersecurity incident, an organized approach to response is vital. This includes the execution of the incident response plan, prompt escalation, collection of data to preserve integrity, and prompt communication and notification to key internal and external stakeholders. This function also involves proper actions for containing and mitigating damage from incidents.
  6. Recover: In this final component of the CSF 2.0, recovery focuses on restoring any services or capabilities that were impaired due to the incident. From a business leadership perspective, recovery is not just about restoring IT systems and application quickly but also about business continuity—ensuring operations can continue executing business processes during a possible outage of the technical environment. Continuous improvement is imperative within this process to bolster future resilience.

CSF 2.0 now aligns with the 2023 National Cybersecurity Strategy which not only expands to the protection all organizations in any sector but also better organizes focus on governance. The goal of adding governance to CSF 2.0 is to elevate cybersecurity as a key consideration by top executives on par with other major concerns like critical infrastructure, financial stability and reputational integrity.

What this means for medium-sized businesses is that CSF 2.0 is no longer just a nice-to-have, but essential. These businesses face distinct cybersecurity challenges, often operating with more constrained resources than larger enterprises. The NIST Cybersecurity Framework’s scalable and adaptable nature allows for the effective safeguarding of digital assets, providing a pathway to robust cybersecurity without the necessity for large-scale budgets.

Build Your CSF v2.0-Compliant Strategy with Blue Mantis

The NIST Cybersecurity Framework 2.0 is crucial for medium-sized businesses aiming to enhance their cybersecurity posture. If your organization has built your cybersecurity around prior NIST Cybersecurity Frameworks, then now is the time to assess what’s required to bring your posture up to the new CSF 2.0 standard.

The advantages of adhering to CSF 2.0 are evident, and Blue Mantis provides expert assistance in adopting the NIST Cybersecurity Framework 2.0, ensuring businesses can effectively secure their digital environments. Partner with us for personalized guidance and support in strengthening your cybersecurity defenses. We welcome you to reach out to our team for tailored advice and assistance.

Jay Martin

Chief Information Security Officer

Jay Martin is the Chief Information Security Officer (CISO) and Cybersecurity and Risk Advisory Lead for Blue Mantis. His nearly three-decade career has been a mix of business leadership and information security. He helped establish InteQ Corporation, later acquired by Computer Associates, and co-founded Service Catalyst, which became a PwC acquisition, where he served as president and CISO. Both companies were leaders in IT transformation, cybersecurity, and governance risk and compliance.

At InteQ, Jay developed their Global Information Security practice, aligning compliance and regulatory requirements with financials, technology, processes, culture, and vendor partners. At Service Catalyst, he led strategic cybersecurity, operational readiness, BCP/DR, incident response, and ITIL/ITSM initiatives, working with Boston-area institutions like UMB Bank, T.J. Maxx, Harvard Business School, Logan Airport, and more.

During the implementation of the Affordable Care Act, Jay was tasked with enhancing the State of Vermont’s operational readiness, focusing on security incident response and ITSM practices. He managed the state’s cybersecurity plan of action and milestones after identifying deficiencies during a security control assessment.

As virtual CISO for Dunkin’ Brands International (acquired by Inspire Brands for over $15B in 2020), Jay managed cybersecurity and compliance activities, including vulnerability management, SOC/SIEM practices, third-party security risk, red team testing, and overseeing security in 8,000 stores.

Prior to joining Blue Mantis, Jay was Client Solutions Director and Cybersecurity Practice lead for Advizex Technologies, running their Emergency Incident Response Team and overseeing cybersecurity and compliance risk assessments.