Streamline Your Organization Security Posture with NIST CSF 2.0

Crowdstrike reported a 75% increase in cloud environment intrusions from 2022 to 2023 (source). IBM's cost of data breach report shows that the global average cost of a data breach in 2024 is USD 4.88M, a 10% increase over last year and the highest total ever. Cyber attacks would scale much faster with the help of artificial intelligence. If organizations are not prepared, the consequences will be dire.

There are many security frameworks that can help organizations enable security and safety for their applications and users. In this blog post, we will discuss NIST CSF, one of the most used security frameworks that helps organizations understand and prevent cybersecurity risks. We will cover the key enhancements in NIST CSF 2.0 briefly, explain the primary components of CSF in detail, and show the best practices for maintaining NIST CSF in the cloud.

What is NIST CSF?

The NIST Cybersecurity Framework is designed to help private sector organizations evaluate and enhance their capacity to prevent, detect, and respond to cyber-attacks. The framework is meant to supplement an organization's current risk management and cybersecurity procedures.

We can call it an add-on to an organization’s existing information/cyber security posture. The framework offers recommendations based on best practices and industry standards. It assists businesses of all sizes, from startups to major corporations, in determining the best course of action for enhancing cyber-security and cyber resilience and evaluating the present level of their cyber-security processes. In February 2024, NIST introduced NIST CSF v2.0 with several upgrades.

Key enhancements in NIST CSF 2.0

CSF 1.1 has 5 functions, 23 categories, and 108 subcategories. The CSF 2.0 has 6 functions, 22 categories, and 106 subcategories. CSF 2.0 is an extension of CSF 1.1 that includes several category realignments and the addition of the ‘Govern’ function.

Here are key enhancements in NIST CSF 2.0:

1. Supply Chain Risk Management (SCRM): NIST CSF 2.0 places a greater emphasis on SCRM. Given the rise of supply chain attacks, organizations are now encouraged to manage risks not only within their systems but also across their entire supply chain.
2. Identity Management and Access Control: Enhanced guidelines for managing identities and access controls are included, reflecting the critical role these elements play in securing organizational infrastructure.
3. Measurement and Metrics: The updated framework provides improved guidelines on measuring the effectiveness of cybersecurity practices, helping organizations to continuously assess and enhance their security posture.
4. Integration with Privacy Framework: NIST CSF 2.0 is more closely aligned with NIST’s Privacy Framework, providing a more holistic approach to managing both security and privacy risks.
5. Improved Guidance on Implementation Tiers: The framework offers clearer guidance on the implementation tiers, helping organizations to better assess their current cybersecurity posture and set realistic improvement goals.

The images shows the newly added ‘Govern’ function.

Primary components of CSF 2.0 {#primary-components-of-csf-2-0}

There are three primary components of CSF 2.0:

• Core: It refers to a set of cybersecurity activities and references that provide a high-level, strategic view of an organization’s cybersecurity posture. The core is organized into six functions. Govern, Identify, Protect, Detect, Respond, and Recover, which are further divided into 22 categories and 106 subcategories.
• Tiers: Organizations can identify their current state of cybersecurity with the help of tiers. There are 4 tiers: Partial, Risk-Informed, Repeated, and Adaptive.
• Profiles: Profiles are divided into "current" and "target" profiles.

We will cover each component pf CSF 2.0 in detail.

Core functions of CSF 2.0

There are six core functions within NIST CSF 2.0.

1. Govern: This function involves cybersecurity risk management strategy, expectations, and policies.

   Category	Key points	Security Enhancements
   Organizational Context	Involves recognizing the unique aspects of the organization, its mission, goals, operational environment, regulatory requirements, and risk appetite, that influence how it manages cybersecurity risks It includes understanding Business Needs and Drivers - Tailoring the Framework - Risk Management - Resource Allocation - Communication - Continuous Improvement - Mission and Objectives - Stakeholder Expectations - Legal, Regulatory, and Contractual Requirements - Threat Landscape	Strategic Alignment Asset Protection Clear Direction Accountability and Responsibility
   Risk Management Strategy	Risk management processes are established, managed, and agreed to by organizational stakeholders. Understanding and articulating risk tolerance is essential for making informed decisions about which risks to mitigate, accept, transfer, or avoid. It includes - Identifying Risks - Assessing Risks - Developing Risk Treatment Plans - Risk Acceptance - Continuous Monitoring	Prioritization Informed Decision-Making Proactive Risk Mitigation Adaptability
   Roles, Responsibilities, and Authorities	Ensure clear accountability, define actions, and empower stakeholders for effective cybersecurity management. Establishment and Communication Leadership Accountability Clear Assignment Use of RACI Matrix Comprehensive Coverage Alignment with Organizational Structure Regular Review and Update Board and Executive Involvement Cross-functional Collaboration Empowerment and Authority	Clear Accountability Effective Decision-Making Improved Communication and Coordination Reduced Risk of Human Error
   Policy	Policies establish guidelines and standards to ensure consistent cybersecurity practices across the organization. The below process is part of the policy lifecycle. Policy Development and Implementation Communication of Policies Policy Enforcement Regular Review and Update Alignment with Organizational Context Integration with Enterprise Risk Management Supply Chain Considerations Compliance and Regulatory Alignment Documentation and Accessibility	Clear Expectations Consistent Practices Risk Management Accountability
   Oversight	Keeping a close eye on all aspects of cybersecurity Continuous Monitoring and Evaluation Performance Measurement Feedback and Improvement Governance Integration Stakeholder Communication	Maintaining Effectiveness Promoting Accountability Driving Continuous Improvement Demonstrating Commitment
   Cybersecurity Supply Chain Risk Management	Program and Strategy Identifying and Assessing Suppliers and Third-Party Partners Understanding Supply Chain Dependencies Risk Management Integration Supplier Prioritization Contractual Security Requirements Due Diligence Continuous Monitoring Incident Planning and Response Post-Relationship Risk Management Managing Supply Chain Risks Communicating and Collaborating with Suppliers	Reduces Risk Exposure Protects Critical Assets Strengthens Resilience Fosters Trust

2. Identify: This function involves identifying assets, vulnerabilities, and threats within an organization's environment.

   Category	Key points	Security Enhancements
   Asset Management	The company inventories all software components and data used in its service. This includes identifying which data is sensitive and requires additional protection measures. - Asset Identification - Asset Classification - Asset Ownership and Responsibility - Asset Inventory Maintenance - Data Flow Mapping	Targeted Protection Risk Prioritization Improved Incident Response Compliance Efficient Resource Management
   Risk Assessment	Conduct regular risk assessments to identify cybersecurity threats specific to the SaaS model, such as data breaches or unauthorized access to customer data. - Risk Identification - Risk Analysis - Risk Prioritization - Risk Communication - Continuous Risk Monitoring	Informed Decision-Making Proactive Risk Mitigation Efficient Resource Allocation Improved Communication Adaptability
   Improvement	Continuous improvement is required to streamline the security tasks - Iterative Assessments - Feedback Loops - Adaptability

3. Protect: The Protect function focuses on securing assets and limiting the impact of a potential cybersecurity event.

   Category	Key points	Security Enhancements
   Identity Management, Authentication, and Access Control	Identity Management - User Provisioning - Role-Based Access Control (RBAC) - Lifecycle Management Authentication - Multi-Factor Authentication (MFA) - Single Sign-On (SSO) Access Control - Access Control Lists (ACLs) - Policy Enforcement	Prevents Unauthorized Access Limits Damage from Breaches Enforces Accountability Facilitates Compliance
   Awareness and Training	Security Awareness Programs Security Training Phishing Simulations Role-Based Training Continuous Learning	Reduces Human Error Empowers Employees Strengthens Security Culture Supports Compliance
   Data Security	Encrypt sensitive customer data both in transit and at rest. Ensure that encryption keys are securely managed Data Classification Data Encryption Access Controls Data Masking and Tokenization Data Backup and Recovery Data Retention and Disposal Data Loss Prevention (DLP)	Confidentiality Integrity Availability Compliance
   Platform Security	Secure Configuration Vulnerability Management Malware Defenses Secure Coding Practices Data Protection at Rest and in Transit	Reduced Attack Surface Timely Vulnerability Management Proactive Malware Defense Secure Software Development Data Protection
   Technology Infrastructure Resilience	Data Backup Recovery Planning Redundancy Resilient Design Physical Protection	Minimizes Downtime Protects Data Ensures Business Continuity

4. Detect: The Detect function monitors and detects cybersecurity events.

   Category	Key points	Security Enhancements
   Continuous Monitoring	Real-Time Monitoring Alerting and Notifications Security Information and Event Management (SIEM) Anomaly Detection Vulnerability Scanning Threat Intelligence Change Detection	Early Threat Detection Improved Incident Response Enhanced Situational Awareness Compliance
   Adverse Event Analysis	Event Correlation Impact and Scope Assessment Root Cause Analysis Incident Declaration Threat Intelligence Integration Information Sharing	Accurate Incident Identification Targeted Response Proactive Risk Mitigation Improved Situational Awareness Collaboration and Information Sharing

5. Respond: The Respond function involves responding to detected cybersecurity events.

   Category	Key points	Security Enhancements
   Incident Management	Incident Response Plan Incident Triage and Analysis Containment and Eradication Recovery Lessons Learned Communication	Minimizes Impact Facilitates Recovery Improves Security Posture Maintains Stakeholder Confidence
   Incident Analysis	Comprehensive Investigation Root Cause Identification Impact Assessment Evidence Preservation Threat Actor Profiling Communication and Collaboration	Effective Containment and Eradication Informed Decision-Making Improved Security Posture Proactive Threat Detection Legal and Compliance Support
   Incident Response Reporting and Communication	Internal Reporting External Reporting Stakeholder Communication Public Communication Lessons Learned Post-Incident Activities	Facilitates Timely Response Minimizes Damage Enhances Collaboration Supports Compliance Promotes Continuous Improvement
   Incident Mitigation	Containment Strategies Eradication Activity Monitoring Protective Technology Coordination and Communication	Limits Impact Enables Faster Recovery Improves Security Posture Demonstrates Preparedness

6. Recover: The Recovery function involves restoring systems and assets affected by a cybersecurity event.

   Category	Key points	Security Enhancements
   Incident Recovery Plan Execution	Plan Activation Resource Coordination Prioritization System Restoration Testing and Validation Communication Plan Review and Improvement	Minimizes Downtime Ensures Business Continuity Protects Data Facilitates Continuous Improvement
   Incident Recovery Communication	Internal Communication External Communication Stakeholder Updates Lessons Learned	Facilitates Coordinated Response Minimizes Disruption Maintains Trust and Confidence Supports Continuous Improvement

Implementation Tiers of CSF

The NIST CSF implementation tiers are designed to help organizations understand the maturity of their cybersecurity risk management programs. The tiers range from 1 to 4, with each tier representing a different level of cybersecurity maturity:

1. Tier 1: Partial: The organization uses informal procedures and knows very little about cybersecurity procedures and threats, with minimal internal cybersecurity coordination.
2. Tier 2: Risk Informed: The organization has established policies and defined risk management procedures that are known to the entire organization. Procedures are reviewed frequently to match the needs of the business.
3. Tier 3: Repeatable: Same as Risk informed but with established procedures and consistent review and update
4. Tier 4: Adaptive: The organization prioritizes dynamically responding to changing risks and threats and continuously improving its cybersecurity procedures based on lessons learned.

Profiles of NIST CSF

The third primary component of NIST CSF is profiles. We create current and target profiles. The profile can be of the whole organization, any product, or any business unit where we want to improve the security posture. To create a profile, we need to understand the business requirements, sync with various teams, perform gap analysis, and create a detailed plan on how to fix the gaps identified and reach the target profile. There are multiple milestones to reach the target stage.

Best practices for maintaining NIST CSF Compliance in the cloud

1. Know your cloud service provider's security measures: The first step towards maintaining NIST CSF compliance in the cloud is understanding your cloud service provider's security measures and the service alignment with the NIST CSF framework. All major cloud service providers have stringent security controls in place, but it is important to familiarize yourself with them and ensure they align with the NIST CSF framework.

2. Use encryption for data protection: Encryption is a key component of data protection and a crucial aspect of NIST CSF compliance. Make sure all sensitive data stored or transmitted on your cloud infrastructure is encrypted using approved algorithms. This includes data at rest as well as data in transit.

3. Implement access controls: Controlling access to resources within your cloud environment is vital for maintaining NIST CSF compliance. Utilize Identity and Access Management (IAM) tools provided by your cloud service provider to manage user permissions and privileges effectively.

4. Regularly monitor your cloud environment: Monitoring your cloud infrastructure regularly helps detect any potential vulnerabilities or suspicious activities that could compromise your organization's security posture. Set up alerts to track any unusual activity or changes made within your environment.

5. Conduct regular risk assessments: Conducting regular risk assessments allows you to identify potential risks within your environment and take steps to mitigate them before they turn into serious threats. This practice also aligns with one of the core functions of the NIST CSF - Identity.

6. Implement multi-factor authentication (MFA): MFA adds an extra layer of security to user authentication by requiring additional verification methods, such as a one-time password or biometric scan. This helps prevent unauthorized access and is recommended by the NIST CSF framework.

7. Keep your cloud infrastructure up-to-date: Regularly updating your cloud infrastructure and applications is crucial for maintaining NIST CSF-2.0 compliance. By doing this, the likelihood of a cyberattack is decreased by ensuring that any known vulnerabilities are patched.

Following these best practices will help organizations maintain NIST CSF compliance in their cloud environment and ensure the security of their critical assets and information. It is also important to note that maintaining compliance is an ongoing process, and regular audits should be conducted to identify any gaps or areas for improvement. By staying vigilant and following these practices, businesses can strengthen their security posture and protect themselves from potential cyber threats in the cloud.

Various public cloud services aligned with NIST CSF 2.0

When using the public cloud, there are multiple native services available that can help us align with the NIST CSF and improve the overall security posture. The table below maps the cloud services with the primary functions of NIST primary functions. Below is a list of various native services supported by various cloud providers at the time we were writing the blog.

CSF Function	AWS	GCP	Azure
Govern	AWS Identity and Access Management (IAM) AWS Organizations AWS CloudTrail AWS Config AWS Artifact AWS Compliance Center	Security Command Center Policy Intelligence Cloud deployment manager Supply chain (GKE Security posture) Policy Compliance(GKE Security posture)	Azure Policy Azure Blueprints Azure Compliance Manager Azure Security Center Azure Monitor Azure Governance Visualizer (AzGovViz) Microsoft Compliance Score
Identify	AWS Config AWS CloudTrail Amazon Inspector AWS Risk and Compliance Program: AWS Cloud Adoption Framework (CAF)	Cloud identity and access management Cloud asset inventory Security command center GKE security posture	Azure Security Center Azure Active Directory (Azure AD) Azure Policy Azure Blueprints Azure Advisor
Protect	AWS Identity and Access Management (IAM) Amazon Virtual Private Cloud (VPC) AWS Key Management Service (KMS) AWS Shield AWS WAF Amazon GuardDuty AWS Certificate Manager AWS CloudTrail AWS Config	Cloud identity and access management Vpc service controls Shielded VM’s Security Command Center Policy Intelligence Cloud deployment manager Access approval API	Azure Active Directory (Azure AD) Azure Information Protection Azure Security Center Azure Firewall Azure Key Vault Azure Multi-Factor Authentication (MFA) Azure Virtual Network
Detect	Amazon GuardDuty AWS CloudTrail Amazon Macie AWS Network Firewall Amazon CloudWatch AWS Config	Security Command Center Event threat detection Cloud logging and cloud monitoring GKE Security posture	Azure Security Center Azure Sentinel Azure Monitor Microsoft Defender for Cloud (formerly Azure Security Center)
Respond	AWS Lambda Amazon Simple Notification Service (SNS) AWS CloudWatch AWS Step Functions AWS Security Hub Amazon Detective	Security Command Center Event threat detection Cloud functions and pub/sub Cloud logging and cloud monitoring	Azure Security Center Azure Sentinel Azure Monitor Microsoft Defender for Endpoint Azure Logic Apps
Recover	AWS Backup Amazon S3 Glacier AWS CloudFormation Amazon Route 53 AWS Elastic Beanstalk AWS CloudEndure Disaster Recovery	Google cloud storage Persistent disk storage Cloud SQL backups Cloud KMS Google Kubernetes Engine(GKE) backups Disaster recovery planning guide	Azure Backup Azure Site Recovery Azure Storage

Final words

NIST CSF-2.0 is an impressive framework that covers all aspects of cybersecurity, its redesigned structure now involves and focuses on topics that were taken lightly in the past by organizations like open source compliance management. It is the cherry on top of current best practices which can guide organizations to streamline their cybersecurity posture.

I hope you found this blog post informative and engaging. I’d love to hear your thoughts on this post. Let’s connect and start a conversation on LinkedIn. Looking for help with securing your infrastructure or want to outsource DevSecOps to the experts? Learn why so many startups & enterprises consider us as one of the best DevSecOps consulting & services companies.

References

• NIST CSF official guide