NIST CSF 2.0 and its Impact on Small Businesses

NIST Building Updated: May 2, 2024

On February 26, 2024, the National Institute of Standards and Technology (NIST) released the long-awaited NIST Cybersecurity Framework (CSF) 2.0, a comprehensive high-level document that guides for organizations to manage cybersecurity risks. The NIST CSF 2.0 departs from the previous release by adding small businesses to its target audience. In addition to providing guidance updates, the NIST CSF 2.0 is published as an online organic document, allowing for quick updates to address emerging technological trends and developments.

How does NIST CSF 2.0 impact small businesses?

Previous releases of the NIST CSF framework were aimed at large institutions, government agencies, the military, and national laboratories. The NIST CSF 2.0 expanded its reach to other types of organizations, including small businesses, which serves as a starting point for small companies to launch their cybersecurity program. While all functions touch a small business, not all categories and subcategories are applicable. Understanding how the NIST CSF 2.0 framework fits into an organization’s size, budget, and business practice is critical to successfully adopting the CSF and developing its cybersecurity program.

There is no formal requirement for small businesses to apply the CSF to their organization’s cybersecurity practices. A lack of mandate implies that the CSF could be a bureaucratic document that hinders businesses, especially small businesses, from growth and expansion. However, the NIST CSF 2.0 contains time-tested wisdom. Small businesses will benefit from using it as a checklist to design or tighten their cybersecurity profile to help reduce cyber risk.

Update: On May 1, 2024, NIST released a Small Business Quick Start Guide. This resource is designed to help businesses manage and reduce their cybersecurity risks.

Why Does it Matter?

With the rapid change in the cybersecurity landscape, including emerging technologies, a growing number of threat actors, and geographical influences, The National Institute of Standards and Technology must be able to adapt as threats change. The NIST CSF 2.0 is flexible and prudent and has deep intellectual backing. NIST can anticipate changes and can adjust the framework rapidly. The most effective approach is to develop a platform that balances education, thoughtful analysis and quick updates. This is the main drive for the NIST CSF 2.0 release as an online resource.

So, what is NIST CSF 2.0?

The NIST CSF 2.0 provides guidance for organizations, e.g., industry, academia, government agencies, and now small businesses, in managing their cybersecurity risk. The NIST CSF 2.0 framework helps organizations prioritize their cybersecurity goals and provides a roadmap to achieve them. It should be noted that the NIST CSF 2.0 is not a prescriptive step-by-step or how-to guide. Its approach is to lay out standards for sound cybersecurity practices, and the implementation details of the organization’s cybersecurity goals are left to the security practitioners within each organization.

The NIST CSF 2.0 is broken down into three components:

  1. The CSF Core
  2. The CSF Profiles
  3. The CSF Tiers

The CSF core is a “hierarchy of functions, categories, and subcategories” detailing the outcome.

The outcomes are broad and have multiple intended audiences. Ultimately, the outcomes help organizations prioritize and manage risks. Let’s take as an example “Detect,” which is one of six functions (“Govern,” “Identity,” “Protect,” “Detect,” “Respond”, and “Recover”). The detection of attacks and compromises involves the discovery of systems that have been compromised and the need to analyze the incident.

Detection can be processing events that indicate an adversary on the network. In that context, detection has categories and subcategories. One such pairing might be detecting a phishing campaign, and a subcategory might include how the phishing campaign was carried out and how to identify and quarantine the compromised system properly. The NIST CSF 2.0 does not prescribe the type of “email scanning” software or dictate how an organization implements detection and analysis. These tasks are left to the individual organizations.

The CSF Profile captures an organization’s cybersecurity posture (or “status”) based on the CSF Core analysis.

An organization’s “Profile” is understood as a moving window consisting of the Current Profile (“now”) and the Target Profile (“future”). The framework, as mentioned, supports a continuously improving approach to cybersecurity. Therefore, a dynamic view of an organization’s evolving profile is an important ingredient in the design of CSF 2.0.

The CSF Tiers is a rack-and-stack that “characterize the rigor of an organization’s cybersecurity risk governance and management practices.”

If we break it down, an organization (from a tiering perspective) can be one of several tiers, i.e., (0) no cyber awareness, (1) partial awareness, (2) risk-informed, (3) repeatable, and (4) adaptive.  An organization having no cyber awareness is the least desirable. On the other hand, an organization that can adapt to evolving environments is most desirable.  It is our opinion that most small businesses fall into Tier 1, and some are in Tier 2, but very few fall into the third or fourth tier.

What can we expect down the road?

As NIST CSF 2.0 becomes more adopted and fine-tuned, we can expect it to become the gold standard for cybersecurity program development. While we cannot predict that the adoption of NIST CSF 2.0 will become the “law of the land” for small businesses – and in fact, we are hesitant to take this view –  we can certainly see that a small business might be asked about their adoption of the CSF when working with local, state and federal agencies.

We’re here to help

Whether you have questions about NIST CSF 2.0, where to start in developing a cybersecurity program, how to tighten your current one, or how a cybersecurity risk assessment can benefit your small business, JLK Rosenberger can help. We have a trained cyber team ready to assist you, no matter where you are on your cybersecurity program journey. For additional information, call 949-860-9902 or click here to contact us. We look forward to speaking with you soon.