NIST CSF: A “Fellowship” for Your Cybersecurity Journey to 2.0 

By Samuel Lewis, Senior Security Consultant  

The Govern Function  

The introduction of the Govern Function or Golden Ring, if you will, is perhaps the most noticeable change. NIST has not formally stated this, but it could easily be described with this inscription, “One Ring to rule them all, One Ring to find them, One Ring to bring them all, and in the darkness bind them.”^* No, sorry. That is a story about an altogether different journey…let’s look at CSF 2.0.

This golden ring, more accurately called the Govern Function, is much less threatening than the ring that tempted characters in the Lord of the Rings…but in its own way, this new function is just as far-reaching. What NIST has officially stated about the Govern Function is that it should be used to achieve and prioritize the outcomes of the original five CSF functions. These functions remain a fundamental element from the original framework with a few minor changes to both the categories and subcategories. The Govern Function expounds upon some of the original concepts introduced in the earlier versions of CSF and elevates cybersecurity risk to a board-level concern, emphasizing that it is to be considered an enterprise risk that senior leadership must account for, much like finances and reputation.

Increased Scope 

The original scope and purpose of the CSF was to improve critical infrastructure cybersecurity while maintaining “a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” With the release of CSF 2.0, NIST has expanded its reach by stating that the guidance on managing cybersecurity risks now expands to include industry, government agencies and other organizations of all sizes, sectors, and maturity levels. This increased scope takes the framework from its original intent of protecting the nation’s critical infrastructure…to reaching far beyond Bilbo Baggins’ Shire and opening the doors for its use across all kinds of applications. NIST CSF 2.0 aims to safeguard not just critical infrastructure but to help organizations of all sizes effectively minimize risks, from the largest enterprises to corner bakeries and the “Mom and Pop” bicycle shops. All organizations can benefit from its guidance.

Reference Tool 

One of the more helpful additions to CSF 2.0 is the implementation of the NIST Cybersecurity Framework (CSF) 2.0 Reference Tool. Just as a map guided travelers through Middle-earth, the CSF 2.0 Reference Tool can assist organizations on their cybersecurity quest. Unlike a compass app, it goes beyond basic direction, offering a comprehensive guide for navigating the ever-evolving cybersecurity landscape.

NIST has never said a control must be met in a specific way, instead it provides online resources with several ways to achieve the goals. This reference tool provides examples of what fully implemented cybersecurity frameworks look like, helping remove some of the uncertainty organizations may feel. Each of the 106 subcategories of CSF 2.0 comes with one to ten implementation examples that explain the control’s purpose and provides an example of how to achieve it. These resources and examples are helpful to every professional looking to strengthen their cybersecurity posture, allowing them to discover what works best for their company.

Much like Frodo’s trek, the journey to a secure future requires strategic use of available tools. The three changes highlighted above are not the only changes that NIST rolled out with CSF 2.0, these are just some major milestones on a larger journey. There were also important additions regarding supply chain risk management within the Govern Function; the expectation that CSF 2.0, like previous versions, will be utilized globally; and the additional inclusion of informative references which map CSF 2.0 controls to CSF 1.1, Center for Internet Security (CIS) Controls v8, and multiple NIST Special publications. The three additions we focused on in this blog are just highlights, and none of the changes should be overlooked as they are all valuable keys to the creation of a stronger and more robust cybersecurity environment.

*From J.R.R. Tolkien’s book, The Fellowship of the Ring  

If you want to know more about NIST CSF 2.0 or if you have other cybersecurity questions, our experts are ready to assist.