The NIST Cybersecurity Framework (CSF) 2.0 Functions, Profiles, Outcomes and Controls

May 15, 2024

With the introduction of the Cybersecurity Framework (CSF) 2.0, the National Institute of Standards and Technology (NIST) has placed most emphasis on the use of the CSF Organizational Profiles. Building upon the previous CSF 1.1 implication that a Profile could be applied to the whole organization, the CSF 2.0 suggests an approach where an organization can adopt multiple Profiles as appropriate. This allows organizations to focus on selecting, implementing and managing the specific security controls required to achieve their security objectives, as well as not use the controls that do not support these objectives.

 

Although not explicitly noted in the CSF 2.0, this change may have resulted from the increasing use of network segmentation driven by governance needs to reduce the risk to some information and parts of the organization more than for other areas. The net impact of multiple Profiles is that different areas of an organization can be subject to distinct information security control baselines. These may be more complex to manage, but they will support provision and implementation of the right amount or protection for information—and no more—which a universal organizational Profile cannot easily achieve.

 

But how can organizations effectively manage these multiple Profiles? Fortunately, NIST has greatly improved its documentation regarding use of the CSF within organizations besides those associated with critical infrastructure. In fact, all references to critical infrastructure have been removed.

 

 

Reviewing the CSF 1.1 Framework Core

To show how the CSF has evolved since the 2018 publication of CSF 1.1, consider section 2.1: Framework Core, which states: "The Framework Core provides a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes. The Core is not a checklist of actions to perform. It presents key cybersecurity outcomes identified by stakeholders as helpful in managing cybersecurity risk."

 

Later in the same section of the CSF 1.1, NIST states:

 

  • “Functions organize basic cybersecurity activities at their highest level. These Functions are Identify, Protect, Detect, Respond, and Recover." Using these Functions, organizations can better organize, communicate about and make informed decisions regarding their risk management approaches. Incident response and management leaders can also align the Functions with other best practices and track their investments. 
  • Categories are the subdivisions of a Function into groups of cybersecurity outcomes closely tied to programmatic needs and particular activities.” For instance, as shown in the image below, “Asset Management” would be a Category of the “Identify” Function, and “Recovery Planning” would be a Category of the “Respond” Function.
  • Subcategories further divide a Category into specific outcomes of technical and/or management activities....[which] help support achievement of the outcomes in each Category.” See the image below for examples of Subcategories.
  • "Informative References are specific sections of standards, guidelines, and practices common among critical infrastructure sectors that illustrate a method to achieve the outcomes associated with each Subcategory.” The image below shows examples of other common frameworks, such as COBIT 5 and ISO/IEC 27001:2013, that organizations may review when aligning the CSF to their own practices.

 

Below is NIST’s visualization of the CSF 1.1 Framework Core.

 

Image
Picture2

 

From the CSF 1.1 description of the Framework Core, we can infer that the security controls required to secure a computing environment are not the outcome definitions. The controls can (not must) be extracted from the Informative References are provided in Appendix A, Table 2, which contain references to CIS, COBIT, ISA, ISO and NIST controls catalogs and standards. Therefore, an organization may decide to use ISO 27002:2022 controls to achieve specific NIST CSF outcomes. Further, NIST does not restrict controls defined by these bodies as the only ones. Organizations perhaps located in Australia could decide to use their local controls catalog, e.g., Australian Cyber Security Centre Essential 8 Controls, CERT NZ’s critical controls or others.

 

 

The CSF 2.0 Evolution

In 2018, NIST published information related to the CSF 1.1 in a single document. Nearly 6 years later, the CSF 2.0 takes a similar approach, but it supplements the primary document with multiple supporting and referenceable documents which clearly articulates their vision and suggested approach. 

 

Today, the NIST CSF 2.0 abstract states: "The CSF does not prescribe how outcomes should be achieved. Rather, it links to online resources that provide additional guidance on practices and controls that could be used to achieve those outcomes."

 

Again, outcomes should be mapped directly to a list of potential security controls as listed in the CSF 2.0 Informative References for immediate consideration to mitigate cybersecurity risks. But, in the CSF 2.0, the Informative References table has been removed from the NIST Cybersecurity Framework (CSF) 2.0 document and is available here as a downloadable Excel file or a browsable online file, which are much easier to work with than the original PDF file from the CSF 1.1. 

 

As with the CSF 1.1, the Informative References tables contain a listing of updated suggested security controls that organizations can select from to associate with the outcomes defined in their CSF Profile definitions. But remember, since CSF now suggests usage of multiple CSF Profiles and provides the Informative References in an easily accessible and extractable file format, the creation of an information security controls baseline has been greatly simplified. So why is this a big deal? 

 

The 'big deal' is that these baselines can be used for: 

 

  1. Measuring compliance of what an organization is doing to protect its information, rather than simply relying on what it says it is doing
  2. Reporting on its CSF Tier value, which reflects the degree of rigor the organization is using to manage its cybersecurity risk - which executive leadership and its board can promote and boost the confidence of its stakeholders and investors

Please refer to the following image to understand how CSF 2.0 Tiers can be used to report on the degree of risk management rigor used as each level of the Core model. You can also see how they are used in combination with CSF Profiles containing the expected outcomes to be achieved by implementing selected security controls from the Information Reference tables included in the CSF 2.0 or other control catalogs as selected by the organization.

 

Image
FPOC_Blog Image v2

 

 

Summary

Overall, use of the CSF 2.0 will improve the level of cybersecurity maturity in organizations that fully adopt it through the appropriate use of Profiles, outcomes and controls. The framework also provides organizations with extended governance benefits if they fully embrace the CSF 2.0 GOVERN function.

 

These benefits may likely take until 2026 to materialize in many organizations due to the additional effort and resources needs to adopt the framework.

 

For further information, please reach out to us at https://www.optiv.com/

 

TECHNICAL MANAGER IN STRATEGY and RISK MANAGEMENT PRACTICE | OPTIV
Dr. Broderick is a Technical Manager in Optiv’s strategy and risk management practice and is responsible for development and delivery of multiple security assessment. security program development, and other services to Optiv clients. Having worked in the IT and Information Security industry for over 35 years, he’s deeply experienced in all aspects of information security and how it affects businesses of all sizes and in all sectors.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.