Cyverity

Get Started

Understanding the 2024 Updates to the NIST Cybersecurity Framework

Young Woman in Computer Lab

Speaker: James Tarala
Event: SANS Webcast
Date: December 4, 2024
Watch on YouTube: https://www.youtube.com/watch?v=3JACdIrexzI 

Introduction 

The NIST Cybersecurity Framework (CSF) Version 2.0 was officially released in 2024, bringing several key updates aimed at refining and improving cybersecurity governance. In this SANS webcast, James Tarala breaks down the changes, providing a detailed comparison between CSF 1.1 and CSF 2.0 and helping organizations understand how to integrate these updates into their security programs. 

James Tarala highlights that while CSF 2.0 is an evolution rather than a complete overhaul, the addition of a new “Govern” function and restructuring of several components make it a noteworthy update for cybersecurity professionals. 

 

Key Takeaways 

  • CSF 2.0 introduces a new “Govern” function, emphasizing cybersecurity governance, leadership accountability, and risk management. 
  • Existing functions (Identify, Protect, Detect, Respond, Recover) remain, but with reorganized safeguards to reflect governance responsibilities. 
  • Simplification of security control descriptions, making them more readable and aligned with modern cybersecurity practices. 
  • Greater emphasis on supply chain risk management, acknowledging the growing threats posed by third-party dependencies. 
  • More structured guidance on secure software development, responding to industry trends in DevSecOps. 

 

Summary of the Discussion 

The Evolution of the NIST Cybersecurity Framework 

Since its initial release in 2014, the NIST CSF has served as a foundational cybersecurity governance tool, particularly for critical infrastructure organizations. The updates in 2024 continue to build on that foundation while introducing refinements based on feedback from industry, government, and cybersecurity experts. 

Key historical milestones of the framework: 

  • 2014: CSF 1.0 released following an executive order from the White House to improve cybersecurity for critical infrastructure. 
  • 2018: CSF 1.1 introduced clarifications in authentication, identity management, and supply chain security. 
  • 2024: CSF 2.0 expands the framework with a dedicated “Govern” function, better alignment with risk management strategies, and a refined approach to security safeguards.

 

What’s New in CSF 2.0? 

  1. Introduction of the “Govern” Function – The most significant change in CSF 2.0 is the addition of a sixth core function: “Govern.” 
  • Previously, governance-related statements were scattered across the framework. 
  • Now, all policy, leadership, risk strategy, and compliance activities are centralized in the Govern function. 
  • This structure makes it easier for organizations to separate governance activities from technical security measures.

 

  1. Refinements to Existing Functions – While Identify, Protect, Detect, Respond, and Recover remain, many of their security controls have been reorganized and rewritten for clarity. 
  • The Govern function now influences all other security functions, ensuring they align with business objectives. 
  • Many previously vague statements have been replaced with more precise, industry-aligned guidance. 
  • Certain governance elements were moved from Identify, Protect, and Detect into the new Govern function.

 

  1. Increased Focus on Supply Chain Risk Management – With supply chain threats becoming a major cybersecurity concern, CSF 2.0 includes enhanced guidelines for third-party risk management. 
  • Organizations are now expected to inventory and prioritize supplier relationships based on risk. 
  • The framework introduces requirements for contract language to include cybersecurity expectations. 
  • More focus is placed on incident response plans involving third-party service providers.

 

  1. Emphasis on Secure Software Development – Cybersecurity threats increasingly target software supply chains and development practices. CSF 2.0 expands its focus in this area by: 
  • Recommending secure coding practices and application security testing. 
  • Encouraging organizations to adopt DevSecOps principles. 
  • Providing guidance on software component inventory management to track risks in open-source and third-party libraries.

 

  1. Streamlining and Simplification
  • Some security requirements were removed, reflecting a move toward prioritization rather than comprehensive lists. 
  • Language was revised to match how security teams actually talk about safeguards. 
  • The framework integrates better with other security standards, including CIS Controls, ISO 27001, and NIST 800-53.

 

How Organizations Should Adapt to CSF 2.0 

With these updates, organizations should take the following actionable steps to integrate CSF 2.0 effectively

  1. Review and update governance policies – Ensure alignment with the new “Govern” function. 
  2. Assess supply chain risk management practices – Implement better tracking, contract language, and third-party validation. 
  3. Refine secure software development policies – Ensure that DevSecOps principles are integrated into the software lifecycle. 
  4. Update cybersecurity frameworks and training – Reflect the new CSF structure in security awareness programs. 
  5. Leverage automation tools – Use GRC tools, risk management dashboards, and SIEM platforms to track compliance with CSF 2.0.

 

Actionable Insights 

  • If your organization follows NIST CSF, prioritize governance updates by aligning leadership responsibilities and risk management strategies. 
  • Supply chain security is now a priority—conduct regular third-party risk assessments. 
  • Reevaluate how your security teams approach software development. Secure coding should be baked into development processes. 
  • Use structured assessment tools (e.g., GRC platforms, Excel-based trackers, or SIEM integrations) to track compliance with CSF 2.0. 
  • Engage executive leadership in cybersecurity governance discussionsCSF 2.0 reinforces leadership accountability for risk. 

 

Conclusion 

The NIST Cybersecurity Framework 2.0 represents an evolution rather than a dramatic shift. The addition of the “Govern” function, greater emphasis on supply chain security, and structured approach to risk management make it a valuable update for organizations seeking better cybersecurity governance. 

By integrating these updates into security programs, organizations can improve risk management, strengthen compliance, and build resilience against modern threats. 

 

For more insights on this topic, watch the full webcast here.