Cybersecurity Maturity: Revisions to the NIST Cybersecurity Framework Explained

The National Institute of Standards and Technology (NIST) has unveiled its eagerly awaited version 2.0 of the Cybersecurity Framework (CSF). This update isn’t just a minor tweak—it's a significant overhaul from the previous v1.1.

So, what’s changed? In addition to the core functions of Identify (ID), Protect (PR), Detect (DE), Respond (RS), and Recover (RC), NIST has introduced a new core function: Govern (GV). This new function provides a clear pathway for organizations to achieve the subcategories in each function. While NIST CSF v1.1 was solid, with its 5 functions, 23 categories, and 108 subcategories, the updated NIST CSF v2.0 takes it up a notch with 6 functions, 22 categories, and 106 subcategories.

The new categories in 2.0 include roles, responsibilities, and organizational context oversight, while the revised categories include policy, risk management strategy, cybersecurity, supply chain risk management, platform security, and technology infrastructure resilience.

‍Assessing Cybersecurity Maturity Leveraging CMMI

One of the standout features of the NIST CSF framework is its ability to assess the maturity of each subcategory using the Capability Maturity Model Integration (CMMI) score. CMMI is a globally recognized framework for improving organizational processes, providing a structured approach to evaluate and enhance maturity levels. By integrating CMMI scoring with NIST CSF, organizations can gain a detailed understanding of their cybersecurity practices’ effectiveness and maturity.

With CMMI scores, organizations can systematically evaluate each framework’s subcategories. This evaluation helps pinpoint strengths and areas needing improvement, enabling a focused approach to advancing cybersecurity capabilities. The maturity levels in CMMI range from Initial (Level 1) to Optimizing (Level 5), allowing organizations to track their progress and set realistic goals for enhancement.

Benefits of Maturity Assessment

This integrated approach offers several key benefits:

• Detailed Insight: Organizations can zero in on specific areas of their cybersecurity posture that need attention.
• Strategic Planning and Budgeting: Clear maturity levels help craft targeted improvement strategies.
• Continuous Improvement: The framework encourages ongoing assessment and refinement of cybersecurity practices.
• Benchmarking: Organizations can compare their maturity levels against industry standards and peers, gaining a competitive edge.

In summary, the NIST CSF v2.0 framework, with its addition of a “govern” function, offers a comprehensive and structured method for organizations to boost their cybersecurity posture. This approach not only facilitates a clear understanding of current capabilities but also supports strategic planning and continuous improvement, essential for tackling the ever-evolving landscape of cybersecurity threats.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.

--

Harsheet Ratra is a strategic cybersecurity leader whose standout strength is his ability to bring stakeholders from the first and third lines of defense together with efficiency and acumen. With over a decade of experience, his skills include conducting thorough risk assessments, highlighting key risks, and establishing strong control frameworks.