Changes to NIST CSF 2.0: GRC Newsflash


28 Aug 2023

At TrustCloud, we’re on a mission to democratize compliance, so we’re kicking off GRC Newsflash – a series where our experts give you a quick rundown on the latest buzz happening in the GRC, security, and privacy world. Today’s edition features our Compliance Specialist Frank Kyazze, and covers updates of the NIST Cybersecurity Framework 2.0,  announced on August 8, 2023.


What’s New in NIST CSF 2.0

The NIST Cybersecurity Framework, known as NIST CSF, is undergoing a significant transformation, and every private sector entity, from emerging enterprises to global conglomerates, must take heed.

Originating in 2014, and receiving an update in 2018, the NIST CSF emerged from a presidential directive that sought to amplify cybersecurity defenses within essential infrastructures. Its mission has always been formidable, facilitating organizations to accurately gauge, navigate, mitigate, and communicate cybersecurity vulnerabilities and risks.

The NIST CSF’s role is paramount. Beyond serving as a federal reference, it has garnered endorsement from both state and international governments. Prominent global corporations have integrated the NIST CSF as an essential element of their cybersecurity strategies and programs. When cybersecurity concerns reach legal avenues, the NIST CSF often becomes a defining standard.

The roadmap to NIST CSF 2.0 has been rich with collaboration. Heeding voices from various sectors. NIST in 2022, actively sought inputs and even orchestrated workshops to assimilate diverse and different perspectives. The takeaway: a consensus on the framework’s need to resonate with technological momentum, furnish clearer implementation strategies and guidelines, and lend a magnified focus to supply chain cybersecurity.

So let’s break down what’s coming with the NIST CSF 2.0 Concept Paper. First off, they’re making it more relevant to more businesses.

This is all about putting a spotlight on how companies make decisions around cyber security, and with all the recent cyber security attacks on supply chains, it’s no surprise that NIST is doubling down on keeping things safe. 

If we take a moment to think about the NIST CSF and what it already does:

  • Identify function: helps businesses figure out where they stand
  • Protect function: puts protective measures in place
  • Detect function: notice if something’s wrong
  • Respond function: responds to issues
  • Recover function: recover from any setbacks


Now, with the Govern function coming into the mix, it’s all about making sure companies have cybersecurity programs, and everyone knows who’s doing what.

However,  making changes isn’t always smooth sailing. The more details you add, the harder it might become to apply them flexibly across different companies. Think about how connected everything is these days, especially with supply chains. It’s like a giant jigsaw puzzle, and NIST wants to make sure that every piece fits just right.

The new Govern function is definitely catching a lot of eyes. It’s like NIST is saying, “Hey! It’s not just about having tools and defenses. It’s also about having a clear plan and discussions about them at the highest levels.” But as with any new thing, some companies are scratching their heads, wondering what this change really means for them and if they’ll need to switch up their current strategies.

With all of this, there is definitely a lot to impact in the Govern function. My team and I have been spending a lot of time trying to dissect and transform these updates into digestible and actionable insights. 

Let’s take the first category of the Govern function: the “risk management strategy” category.

This revolves around the organization’s priorities and constraints, risk appetite, and assumptions, all designed to address operational risk decisions.

The first subcategory, GVRM-01. Here, the emphasis is on establishing risk management objectives that are in alignment with organizational stakeholders. For instance, during annual strategic planning or in the face of significant changes, updating both near term and long term cybersecurity risk management objectives becomes pivotal.

The goal is to derive measurable objectives for managing risks, such as ensuring superior user training quality or ensuring comprehensive risk protection (for those industrial control systems, for example). The active involvement and agreement of senior leaders ensures that these objectives serve as a metric for managing risk and performance.

And this is just scratching the surface on the Govern function. There really is a lot to unpack here. And if you find yourself scratching your head, wondering what to do next, you should definitely go over to TrustCloud and read our blog article on these updates, or reach out to one of our compliance specialists.

Additional NIST CSF Resources