Updates and Evolution of the NIST Cybersecurity Framework: What’s New?

The NIST Cybersecurity Framework (CSF), published by the US National Institute of Standards and Technology (NIST), is a widely used set of guidelines for mitigating organizational cybersecurity risks. It contains recommendations and standards to help organizations identify and detect cyberattacks and advice on how to respond, prevent, and recover from cybersecurity incidents.

Since Version 1.0’s initial release in 2014, the NIST CSF has undergone two major updates: Version 1.1 in 2018 and Version 2.0 in 2024. Let’s explore what the Framework is and does and how it has changed over the years.

NIST Cybersecurity Framework Version 1.0 (2014)

While not published until 2014, NIST CSF Version 1.0’s history begins a year earlier, in February 2013. In response to the increasing threat of cyberattacks on critical infrastructure, President Barack Obama issued Executive Order 13636, titled “Improving Critical Infrastructure,” which directed NIST to develop a framework to improve the cybersecurity of critical infrastructure in the United States.

Following an extensive, collaborative process with various relevant stakeholders and several drafts and revisions, NIST released CSF Version 1.0 in February 2014. While primarily aimed at critical infrastructure operators, this process ensured that the Framework would be practical and effective for a wide range of organizations.

The Framework Core was made up of five high-level functions:

• Identify
• Protect
• Detect
• Respond
• Recover

NIST Cybersecurity Framework Version 1.1 (2018)

In April 2018, NIST released Cybersecurity Framework Version 1.1 in response to evolving needs feedback from users. The revised version included improved guidance on authentication and identity management, self-assessment, and supply chain risk management. Here’s a summary of those changes.

CSF Version 1.1 enhanced the Identity Management, Authentication, and Access Control category to provide more explicit guidance on managing identities and credentials and clarify terminology and descriptions to help users better understand the Framework.

Arguably, the most significant change in Version 1.1 was the addition of the supply chain risk management category (ID.SC) under the Identify function. This category provides guidance on assessing and managing risks associated with third-party suppliers and partners.

Another notable update included more detailed guidance for self-assessment of cybersecurity posture, performance, and maturity and increased emphasis on the development and use of metrics to carry out these assessments.

CSF Version 1.1 served to better align and integrate the Framework with other cybersecurity standards and best practices, such as ISO/IEC 27001. This update helped organizations use multiple frameworks to ensure consistency across their cybersecurity practices.

Users and stakeholders also pushed for increased usability of the Framework, which led to the inclusion of practical examples to help organizations implement specific components of the Framework in real-world scenarios. Similarly, NIST included additional resources and guidance to help small and medium-sized businesses adopt and implement the Framework.

All these updates reflected a changed threat landscape and emerging cybersecurity challenges, ensuring the Framework stayed relevant and effective.

NIST Cybersecurity Framework Version 2.0 (2024)

Ten years after the release of CSF Version 1.0, in February 2024, NIST made significant updates to the Framework. After two years of workshops, drafts, and revisions, version 2.0 significantly changed the existing Framework. Let’s look at them in a little more detail.

The most obvious change in NIST CSF Version 2.0 is the addition of a new function: Govern. However, the Govern function is more of a consolidation of category information from Version 1.1 than an entirely new function. The primary result of this change is to make NIST Version 2.0 easier to understand than previous iterations. The new Governance categories include Organizational Context (GV.OC), Oversight (GV.OV), Risk Management Strategy (GV.RM), Roles, Responsibilities and Authorities (GV.RR), and Cybersecurity Supply chain Risk Management (GV.SC).

You’ll notice that the Govern function includes a supply chain risk management category. This represents an increased emphasis on supply chain risks following a string of supply chain attacks in recent years and Gartner’s prediction that 45% of global organizations will experience a supply chain attack by 2025—three times higher than in 2021.

The NIST CSF Version 2.0 includes a significant update to its Respond function. Categories now include Incident Management (RS.MA), Incident Analysis (RS.AN), Incident Response Reporting and Communication (RS.CO), and Incident Mitigation (RS.MI), and map to impactful cyber incident response outcomes, rather than the more high-level outcomes included in Version 1.1.

NIST has also expanded the Framework’s scope in Version 2.0, rebranding it from a critical infrastructure-focused framework to one that applies to all industries. While many sectors already used the NIST CSF, Version 2.0 is the first official recognition of this fact. NIST has adapted the Framework to apply to any industry and encompasses a range of organizations, regardless of their size and cybersecurity program maturity.

While not an update to the Framework, NIST has also released a suite of resources to help organizations implement CIST CSF Version 2.0. These include a searchable reference tool,  reference catalog, community profiles, implementation examples, and quick start guides.

The NIST CSF is a valuable, ever-evolving framework that helps organizations of all shapes and sizes improve their cybersecurity posture and protect themselves against a wide range of threats. You can view the Framework in full here.

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Tripwire.