By Need

By Industry

By Function

Cybersecurity & Risk Management

Enhancing Cybersecurity: The Executive’s Guide to the NIST Cybersecurity Framework 2.0

On February 26, 2024, the U.S. National Institute of Standards and Technology (NIST) released version 2.0 of their Cybersecurity Framework or “CSF.” The NIST CSF has been pivotal in the context of medium-sized organizations navigating our increasingly complex cybersecurity landscape. The most recent State of Cybersecurity report from the Ponemon Institute revealed that 66% of small-to-midsized businesses have encountered a cyberattack within the last year. For those mid-sized enterprises that are too large to be called “small” yet often struggle to find the budget and internal IT security resources available to large enterprises, the CSF offers a robust cyber defense mechanism for safeguarding any organization.

Understanding NIST

As a government agency within the U.S. Department of Commerce with over a century of history, NIST has been instrumental in the advancement of technology and cybersecurity standards for decades. Its contribution to cybersecurity, through the development of frameworks and guidelines since the early 2000s, helps organizations of all sizes to protect their information and infrastructure from digital threats.

The Evolution of the NIST Cybersecurity Framework

Originally released in 2014 with version 1.0, the CSF provided organizations with a comprehensive structure for assessing and improving their cybersecurity posture from the cloud down to the edge. With the release of version 1.1 in 2018, the NIST CSF became one of the de facto cybersecurity risk frameworks here in the US and beyond. Designed to be adaptable to sectors and organizations of all sizes and types, security professionals not only use the framework as a method to build a more robust security practice, but also to provide a common language for understanding, managing, and expressing cybersecurity risk for everyone from the C-suite down to the frontline IT security managers.

The transition from version 1.1 to 2.0 signifies a leap forward for the CSF, as NIST incorporated real-world feedback and adapted the framework to the changing cyber threat landscape. For both the CISO and the IT professionals dealing with cybersecurity for today’s mobile workforce, the release of version 2.0 delivers updated guidelines that reflect the latest in cybersecurity best practices.

What is the NIST Cybersecurity Framework v2.0?

The NIST Cybersecurity Framework v2.0 provides guidance for managing risks in all industry verticals of any size including government and academia. It identifies an organization’s current baseline, deficiencies, and priorities to improve their security posture. The framework is not prescriptive but rather provides guidance for assisting its users in learning about and selecting specific outcomes for reducing cybersecurity risks and efficiently bolster cyber defenses.

CSF 2.0 supersedes 1.1 in the following ways:

  • Increases the number of functions from 5 in version 1.1 to 6 in version 2.0 with the addition of the “Governance” function
  • Reduces the number of categories from 23 to 22 in version 2.0
  • Reduces the number of sub-categories (or controls) from 108 to 106 in version 2.0

The new functions are as follows:

  1. Govern: Determines if the organization’s cybersecurity risk management strategy, expectations, and policies are properly established, communicated, and monitored. This includes codifying the entity’s specific cybersecurity risk profile, risk management strategies, and supply-chain risks.
  2. Identify: Involves developing a thorough mapping of an organization’s business processes, systems, assets, threats, and vulnerabilities to their respective assets and data along with how data securely flows between each.
  3. Protect: Protection strategies are designed to safeguard infrastructure and sensitive information from cyber threats. This includes investing in the right tools and technologies to ensure your operations can withstand an attack and data is protected. A good protection strategy secures both physical and digital assets along with implementing training programs that empower employees to recognize and prevent cybersecurity incidents.
  4. Detect: The capability to quickly identify cybersecurity events and provide timely analysis is critical. For most businesses, focusing on detection means ensuring systems are in place to promptly spot anomalies that could indicate a cybersecurity threat, thus minimizing potential damage.
  5. Respond: In the event of a cybersecurity incident, an organized approach to response is vital. This includes the execution of the incident response plan, prompt escalation, collection of data to preserve integrity, and prompt communication and notification to key internal and external stakeholders. This function also involves proper actions for containing and mitigating damage from incidents.
  6. Recover: In this final component of the CSF 2.0, recovery focuses on restoring any services or capabilities that were impaired due to the incident. From a business leadership perspective, recovery is not just about restoring IT systems and application quickly but also about business continuity—ensuring operations can continue executing business processes during a possible outage of the technical environment. Continuous improvement is imperative within this process to bolster future resilience.

CSF 2.0 now aligns with the 2023 National Cybersecurity Strategy which not only expands to the protection all organizations in any sector but also better organizes focus on governance. The goal of adding governance to CSF 2.0 is to elevate cybersecurity as a key consideration by top executives on par with other major concerns like critical infrastructure, financial stability and reputational integrity.

What this means for medium-sized businesses is that CSF 2.0 is no longer just a nice-to-have, but essential. These businesses face distinct cybersecurity challenges, often operating with more constrained resources than larger enterprises. The NIST Cybersecurity Framework’s scalable and adaptable nature allows for the effective safeguarding of digital assets, providing a pathway to robust cybersecurity without the necessity for large-scale budgets.

Build Your CSF v2.0-Compliant Strategy with Blue Mantis

The NIST Cybersecurity Framework 2.0 is crucial for medium-sized businesses aiming to enhance their cybersecurity posture. If your organization has built your cybersecurity around prior NIST Cybersecurity Frameworks, then now is the time to assess what’s required to bring your posture up to the new CSF 2.0 standard.

The advantages of adhering to CSF 2.0 are evident, and Blue Mantis provides expert assistance in adopting the NIST Cybersecurity Framework 2.0, ensuring businesses can effectively secure their digital environments. Partner with us for personalized guidance and support in strengthening your cybersecurity defenses. We welcome you to reach out to our team for tailored advice and assistance.

Jay Martin

Vice President Security

With over 20 years in Information Technology and Information Security, Jay Martin brings a strategic vision and deep technical expertise to his role as VP, Security at Blue Mantis. Throughout his career, he has helped organizations of all sizes achieve service excellence and navigate the ever-evolving cybersecurity landscape. 

Jay is charged with extending Blue Mantis’ hypergrowth in cybersecurity, including assessment of market, customer and partner requirements and overseeing overall positioning and optimizing services delivery. He collaborates closely with the Blue Mantis IT team to ensure the company’s internal security posture and cyber resiliency remain at a world-class level.  

Jay’s background spans various IT disciplines, including network engineering, technical support, operations management, and security. This well-rounded perspective allows him to translate complex cyber threats into practical solutions that align with business goals.  He has a proven track record of architecting security programs, implementing robust solutions, and fostering a culture of security awareness within organizations. 

Before joining Blue Mantis, Jay held leadership positions at several companies, including InteQ Corporation and Hewlett-Packard – NetMetrix. In these roles, he successfully implemented industry best practices like IT Service Management (ITSM) to streamline IT operations and ensure service excellence.  He also leveraged his expertise in IT security and enterprise monitoring to develop comprehensive security programs that met compliance requirements. 

Jay is passionate about staying ahead of the curve. He holds industry-recognized certifications like CISM (Certified Information Security Manager) and actively participates in industry forums. This dedication to continuous learning allows him to lead Blue Mantis’ cybersecurity team in delivering innovative solutions that empower businesses to thrive in the digital age.