The newly published version of the NIST Cybersecurity Framework (CSF) has rightly elevated the importance of cybersecurity governance, but the new Govern function has a disproportionate impact on overall scoring and presents challenges when measuring improvements against the previous version of the framework.

What’s new in NIST CSF version 2.0?

The biggest change in version 2.0 of the NIST CSF is the introduction of a new function – Govern. This new function consists of 6 categories and a total of 31 subcategories. While some are repurposed from the “business environment” and “governance” subcategories from the Identify function in the previous version, many of these subcategories are net-new and granularly defined with respect to policy, roles and responsibilities, and governance and oversight practices.

Although the Govern function adds 6 new categories, the other functions have been consolidated. The changes in organization, categorization, and naming convention are largely cosmetic, with the spirit of the original five core functions remaining mostly the same. Some language updates even make it easier to evaluate security capabilities with respect to cloud systems compared to the previous version (e.g. “Platform Security” and “Technology Infrastructure Resilience”).

How should organizations interpret these changes?

Just because approximately 30% of the framework is now related to governance does not mean that organizations should allocate a similar percentage of their budget or headcount to strengthen these controls. Threat-driven detection and response capabilities will continue to be a fundamental part of cybersecurity programs and are not addressed by additional governance meetings and paper-products.

Try the following thought exercise for a quicker way to assess your cyber governance capabilities:

1. Does cybersecurity have a seat at the table with your Executive Leadership Team (ELT) or Board?
2. Do you have a cyber-specific risk register that drives additional investments or prioritizes remediation activities?
3. Do you assess cyber-specific supply chain risks and include them in your risk register?
4. Are your program’s policies defined such that compliance with them can be measured and monitored?
5. Are the roles and functions in your program defined such that headcount requirements can be accurately quantified (and requested increases be justified to leadership)?
6. Can you articulate to your ELT or Board whether your program is meeting its objectives?

If you answered “yes” to most of these questions, you probably don’t need to worry about achieving a perfect score for this function – you are already in a strong position. If you answered “no” to most of those – then a deeper dive into the granular subcategories would be helpful.

How should you measure maturity compared to the previous version?

If you are an organization that has never assessed yourself against the NIST CSF, then using the new version is a great place to start. Given the slow pace of change at NIST, this framework should be in place for many years and measuring year-over-year progress will be straightforward. But if you have historically assessed yourself against the previous version – how should you handle the change?

A word of advice: don’t bother trying to normalize a score from version 1.1 to 2.0. As this mapping demonstrates, there is a complex relationship between previous and current subcategories and any calculations that attempt to compare them are implying a level of precision that isn’t adding any value (we call this “magic math”). It is better to take 5-10 minutes to explain to your board or audit committee that after 10 years, the measuring stick has evolved and leave it there. For example, the details of why you may go from a 3.4 to a 3.1 in Protect will be too obscure – just explain that the framework leveled-up with tougher requirements, everyone is experiencing this, and focus on the go-forward.

And while it may seem counterintuitive, another suggestion is to focus on scoring individual functions instead of the overall score (“we went from a 2.3 to a 3.1 in Detect”). Unless each functional area within your organization is equally mature, most CISOs are going to focus on improving the lowest scoring areas, and a focus on function-level scoring achieves that without worrying about whether all the governance subcategories are lowering your top-line number.

Whether you are performing your first or tenth NIST CSF assessment, providing context to your leadership and prioritizing the most impactful security investments should always be more important than focusing on an overall score for the sake of showing a numerical increase. And remember – these assessments are not audits. SRA continues to stress the importance of combining NIST CSF assessments with test procedures like Purple Teams and Table Top Exercises (TTXs)to validate and measure how effective your program’s controls actually are.

Conclusion:

As we move into the era of 2.0, keep a few things in mind:

1. Just because the new Govern function has 31 subcategories does not mean that governance is more important than any of the other core functions. Your adversaries would love for you to focus disproportionately on your policies and meetings.
2. Threat-driven detection and response capabilities remain as important as ever, even if the functions are more compact now.
3. Being able to validate the effectiveness of your controls and tell that story to your Board is more important than achieving a particular overall score.

SRA continues to help organizations assess their cybersecurity program maturity against the NIST CSF, CIS, and other frameworks. We help prioritize the most meaningful and value-added investments as part of 12 or 18-month roadmaps and can quantify the effectiveness of program controls through additional services such as Purple Teams and TTXs. We also help CISOs summarize their maturity trajectories with narratives for their boards, audit committees, or ELTs.

Bill Lyons

Bill Lyons

ArchiveBio

Bill is a cybersecurity consultant with experience leading framework-based assessments including NIST, CIS, HIPAA, HITRUST and other customized maturity frameworks. Additionally, Bill has experience performing cloud configuration assessments across Azure, AWS, and GCP with a focus on Microsoft 365 tenant hardening. Bill has worked with companies across the medical, financial, pharmaceutical, aerospace, and manufacturing sectors. Bill maintains a number of current cloud security certifications from Microsoft and AWS, most recently obtaining the Azure Data Scientist associate. 

• Bill Lyons

  https://sra.io/author/bill-lyons/

  Using Purview and M365 to Mitigate Data Security Risks in Microsoft Teams Meeting Recordings
• Bill Lyons

  https://sra.io/author/bill-lyons/

  Microsoft Purview: You Get Out What You Put In
• Bill Lyons

  https://sra.io/author/bill-lyons/

  Happy Birthday NIST CSF!
• Bill Lyons

  https://sra.io/author/bill-lyons/

  HIPAA Safe Harbor: How H.R. 7898 Affects Healthcare Organizations