Compliance Standards Library

Understanding the Differences Between NIST CSF 1.1 and 2.0

  • Updated

What is the NIST Cybersecurity Framework (CSF)?

  • The NIST Cybersecurity Framework (CSF) provides guidelines to help organizations manage and mitigate cybersecurity risks. The framework is structured to be adaptable to various sectors and sizes of organizations, providing a standardized approach to cybersecurity across industries. Initially released in 2014, the framework fosters risk and cybersecurity management communications among internal and external organizational stakeholders. The framework is not prescriptive; it provides a common language for organizations to assess and improve their ability to prevent, detect, and respond to cyber incidents.

Why Was the Framework Updated?

  • The cybersecurity landscape continually evolves, with new threats and technologies emerging rapidly. To keep pace with these changes, NIST periodically updates the CSF. The transition from version 1.1 to 2.0 reflects an increased emphasis on governance, expanded supply chain risk management guidelines, and the integration of more flexible and updated resources and tools.

Key Changes in NIST CSF 2.0

  1. Introduction of GOVERN Function:
    • CSF v2.0 introduces a new function called GOVERN, which includes categories such as Organizational Context, Risk Management Strategy, Roles, Responsibilities, Authorities, Policy, Oversight, and Cybersecurity Supply Chain Risk Management.
  2. Refinement of Categories and Subcategories:
    • Many existing categories and subcategories have been refined for better clarity and alignment with current cybersecurity practices. For instance, Identity Management, Authentication, and Access Control (PR.AA) have been separated from Identity Management and Access Control (PR.AC).
  3. Addition of New Subcategories:
    • To address emerging cybersecurity needs, new subcategories have been added across various functions. Examples include subcategories in GOVERN like GV.RM-07 (Strategic opportunities) and GV.SC-10 (Supply chain security practices integrated into cybersecurity programs).
  4. Enhancements in Existing Functions:
    • Existing functions such as IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER have seen enhancements with new subcategories and better structuring of existing ones to improve usability and comprehensiveness.

This detailed comparison highlights the significant evolution in NIST CSF from version 1.1 to version 2.0, reflecting the dynamic nature of cybersecurity and the need for robust governance and supply chain risk management practices.

Enhanced Profiles and Tiers

CSF 2.0 also expands on the concept of Organizational Profiles and Tiers. These tools help organizations describe their current and target cybersecurity postures and assess their progress. The Tiers characterize an organization’s cybersecurity practices rigor, with a clear path from "Partial" to "Adaptive" practices.

Supply Chain Risk Management

There is a stronger focus on supply chain risk management. The framework provides detailed outcomes for identifying, managing, and mitigating risks throughout the supply chain.

Continuous Improvement and Integration

The framework now emphasizes continuous improvement and better integration with enterprise risk management (ERM). This aligns cybersecurity risk management more closely with broader organizational risk management practices.

Number of Changed Controls

CSF 2.0 introduces several new subcategories and modifies existing ones to provide more detailed and actionable guidance. While the exact number of changes can vary depending on the implementation context, the introduction of the "Govern" function alone adds multiple new subcategories.

Most Relevant Changes

  1. Govern Function: Establishes and communicates cybersecurity risk management strategy and policies, emphasizing governance.
  2. Supply Chain Risk Management: Detailed guidance on managing cybersecurity risks in the supply chain.
  3. Enhanced Profiles and Tiers: Improved tools for assessing and improving cybersecurity posture.
  4. Continuous Improvement: Focus on integrating cybersecurity with enterprise risk management and maintaining continuous improvement cycles.

How does this affect Vanta Users?

For Vanta users, migrating to CSF 2.0 ensures their cybersecurity practices align with the latest industry standards and best practices. This transition can enhance their ability to manage cybersecurity risks effectively, improve governance, and integrate cybersecurity with overall business objectives.

Next Steps for Migrating to CSF 2.0

  1. Plan Your Migration: Begin by understanding your current cybersecurity posture. Utilize the compliance percentages provided by the Vanta platform to assess where you currently stand.
  2. Decide When to Migrate: While you can migrate at any time, it’s beneficial to determine a specific timeline for transitioning your NIST CSF program from version 1.1 to 2.0. This planning will help ensure a smooth migration process.
  3. Initiate Migration: When ready, initiate the migration by clicking the "Migrate Now" button on the specific NIST CSF framework page. This will start the transition process to CSF 2.0.
  4. Implement the Govern Function: Plan to integrate the additional controls introduced in the new Govern function. This function is crucial for establishing and maintaining comprehensive cybersecurity governance.
  5. Integrate Additional Controls: CSF 2.0 includes several new controls. Ensure that your implementation plan addresses these new requirements and that your team understands the necessary changes and implications.

Need Help?

If you need assistance migrating to CSF 2.0, don't hesitate to contact our support team,; We are here to help you navigate these changes and ensure your cybersecurity practices remain robust and effective.