NIST CSF 2.0

Overview

NIST CSF 2.0 provides key guidance to organizations of all sizes looking to improve their security posture. Contrast Runtime Security ensures applications are effectively safeguarded, enabling you to meet and exceed these benchmarks.

What is NIST CSF?

The Cybersecurity Framework (CSF) from the National Institute of Standards and Technology (NIST) is designed to help organizations better understand and more effectively manage their cybersecurity risk. It is a voluntary framework that provides organizations with a set of best practices for managing cybersecurity risks.

NIST CSF is designed to be a valuable framework for organizations of all sizes that are looking to improve their cybersecurity posture. It can help organizations identify and prioritize their cybersecurity risks, develop and implement effective cybersecurity controls, and monitor and measure their cybersecurity performance.

What are the functions of NIST CSF?

NIST CSF is based on six core functions:

• Identify: The organization’s current cybersecurity risks are understood. 
• Protect: Safeguards to manage the organization’s cybersecurity risks are used.
• Detect: Possible cybersecurity attacks and compromises are found and analyzed. 
• Respond: Actions regarding a detected cybersecurity incident are taken.
• Recover: Assets and operations affected by a cybersecurity incident are restored. 
• Govern: The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored. 

Further, NIST CSF has four tiers that highlight how an organization is managing its cybersecurity risks:

1. Partial
2. Risk-Informed
3. Repeatable
4. Adaptive

What is the difference between NIST CSF 1.1 and NIST CSF 2.0?

NIST CSF 2.0 is the latest version of the NIST Cybersecurity Framework, released in February 2024. It replaces NIST CSF 1.1, which was published in 2018.

The main differences between NIST CSF 1.1 and NIST CSF 2.0 are:

• Updated threat landscape: NIST CSF 2.0 reflects the evolving threat landscape, including new threats such as ransomware and supply chain attacks.
• Increased focus on risk management: NIST CSF 2.0 places a greater emphasis on helping organizations to better understand and manage their cybersecurity risks.
• Enhanced guidance: NIST CSF 2.0 provides more detailed guidance on how to implement the framework, including new tools and resources.
• Simplified language: NIST CSF 2.0 uses simpler language, making it easier for organizations to understand and use the framework.
• Govern is its own function: NIST CSF 2.0 prioritizes governance and makes it a function of its own instead of a lower-tier category, where it lived in CSF 1.1

Another major difference between the two is in scope. Originally NIST CSF was designed solely for critical infrastructure, but NIST CSF 2.0 is designed to apply to organizations of all sizes and industries.

What is the purpose of NIST CSF 2.0?

According to NIST, the purpose of CSF 2.0 is to help organizations better understand and more effectively manage their cybersecurity risk. NIST CSF 2.0 is intended to reflect the evolving threat landscape, particularly by placing a greater emphasis on risk management and by providing more detailed guidance on how to implement the framework.

Why is NIST CSF 2.0 important?

NIST CSF 2.0 is important because it provides organizations with a comprehensive and up-to-date framework for managing their cybersecurity risks. It helps organizations to:

• Identify and understand their cybersecurity risks
• Develop and implement effective cybersecurity controls
• Monitor and measure their cybersecurity performance
• Respond to and recover from cybersecurity incidents

Who does NIST CSF 2.0 apply to?

NIST CSF 2.0 applies to organizations of all sizes and industries. It is a voluntary framework, but it is widely recognized as a valuable tool for managing cybersecurity risks. Many organizations use NIST CSF 2.0 as a baseline for their cybersecurity programs, and some governments and regulators require organizations to comply with NIST CSF 2.0 or a similar framework.

What does NIST CSF say about application security testing?

There are a few sections within NIST CSF 2.0 that touch on application security testing (AST) and application detection and response (ADR):

Identify

• ID.RA-1: Vulnerabilities in assets are identified, validated and recorded 
• ID.RA-3: Internal and external threats to the organization are identified and recorded 

Detect

• DE.CM-1: Networks and network services are monitored to find potentially adverse events 
• DE.CM-4: Malicious code is detected.
• DE.CM-7: Monitoring for unauthorized personnel, connections, devices and software is performed.
• DE.CM-8: Vulnerability scans are performed.
• DE.CM-9: Computing hardware and software, runtime environments and their data are monitored to find potentially adverse events 

Protect

• PR.DS-2: Data-in-transit is protected.
• PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained.
• PR.IP-9: Response and recovery plans are tested.

Respond

• RS.RP-1: Response plan is executed during or after an incident.
• RS.CO-2: Incidents are reported consistent with established criteria.
• RS.AN-1: Notifications from detection systems are investigated.
• RS.MI-1: Incidents are contained.

Govern

• GV.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders.
• GV.ME-1: Security performance is monitored and analyzed.
• GV.RC-1: Compliance with external requirements is ensured.

Per ID.RA-1 and DE.CM-8, organizations must identify and document vulnerabilities and perform scanning for vulnerabilities. It does not say how or with what technologies, so the organization can easily decide to use interactive application security testing (IAST) here. Per DE.CM-1, organizations should use at least a web application firewall (WAF) or application detection and response (ADR), but we would ultimately recommend both.

Per GV.ME-1, organizations must monitor and analyze security performance. ADR generates detailed context on attacks, reporting on security incidents and application behavior. These can be used to monitor security performance, evaluate the effectiveness of security controls and make informed decisions about future security investments and strategies.

It is worthwhile to note that, by and large, NIST CSF 2.0 doesn't specifically call out any particular software or solution category. Rather, the goal is to ensure that organizations are approaching cybersecurity holistically and putting themselves in the best possible position.

In addition, a software bill of materials (SBOM) is a NIST recommended practice, but it is not specifically called out in the NIST CSF 2.0. In this vein, it’s also worthwhile to note that White House Executive Order 14028 specifically mentions SBOMs for supply chain security.

How NIST CSF 2.0 impacts SOCs

The Security Operations Center (SOC) in particular maps closely to the six core functions of NIST CSF:

• Identify: Threat and vulnerability management, red team activities
• Protect: Security tooling validations
• Detect: Security monitoring, shadow IT monitoring, data loss prevention
• Respond: Incident response and investigation, digital forensics
• Recover: Facilitating and providing intelligence to teams engaged in recovery
• Govern: Compliance management, policy enforcement

For SOCs in particular, ADR plays a key role in helping them fulfill all elements of the NIST CSF core functions. ADR provides continuous visibility into the security behavior of the entire software stack, identifies anomalies that indicate security incidents, automatically takes action to mitigate these threats, and provides highly contextual feedback to operations and development teams. ADR fills the critical AppSec gap left by other detection and response solutions by providing deep, real-time visibility and protection directly within the application layer. 

ADR automatically generates detailed, real-time security blueprints of every application and API, including how they connect with each other. These blueprints help teams ensure compliance with regulatory requirements such as NIST CSF 2.0 while also enabling effective security governance across the organization.

Note: Please be advised that the information provided on this webpage is not intended to be legal advice. While we strive to ensure the accuracy and reliability of the information, we cannot guarantee the completeness or currency of it. Laws are subject to change, and we cannot be held liable for any actions taken based on the information provided here. If you need legal advice, please consult with a qualified professional.