Two Truths and a Lie: Getting to Know the NIST CSF 2.0

Two Truths and a Lie: Getting to Know the NIST CSF 2.0

The much-anticipated National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) version 2.0 draft is live online for public review and feedback. The original CSF outlined five core functions to reduce cybersecurity risks: Identify, Protect, Detect, Respond, Recover. Functions are further described with categories related to specific cybersecurity outcomes, and associated subcategories geared toward technical and management outcomes.

The team behind the CSF 2.0 revisions spent more than a year associating new ideas and potential updates with other government officials, industry proponents, and cybersecurity solution providers. The most significant changes to the 2.0 version include an additional “Govern” function, as well as Implementation Examples and Informative Resources.

The NIST CSF 2.0 has 6 explicit goals:

  1. Recognize broad use of the Framework
  2. Relate CSF to other Frameworks and resources
  3. Increase guidance on CSF implementation
  4. Emphasize cybersecurity governance
  5. Emphasize cybersecurity supply chain risk management
  6. Clarify understanding of cybersecurity measurement and assessment

With these overarching goals in mind, below are two truths and a lie about the latest 2.0 draft.

Truth #1: NIST 2.0 Applies to Operational Technology (OT)

The framework applies to all information technology (IT), the Internet of Things (IoT), and operational technology (OT) used by an organization. OT is an umbrella term for the hardware and software that detects or causes a change through the direct monitoring or control of physical devices, processes and events in the industrial environment. OT security is often a proprietary, case-by-case distinction based on the context of the process, good, service, or resource at hand. With respect to the new “Govern” function in the Framework, now is the time for organizations to establish and monitor their OT cybersecurity risk management strategy, expectations, and policy.

OT cybersecurity aims to prevent attacks that target industrial, process control equipment and IoT technologies that read data, execute logic, and send outputs back to machines and equipment. Today there are thousands of known product vulnerabilities in OT (and IoT) systems from each vendor that produces machines and equipment in those categories. It is increasingly difficult to contextualize risk to industrial environments —based on specific products, services, resources, processes, and technologies – without network visibility and understanding of existing controls and mitigations, technical dependencies and organizational interdependencies.

Truth #2: CSF 2.0 Can be Harmonized with Other Regulations

The CSF 2.0 is organized to introduce users to six comprehensive segments for building and maintaining robust and mature cybersecurity programs. The Framework does not exceed or replace, and can be a complementary roadmap for, the adoption of any other existing regulation or guidelines. This reality aligns with the newly debuted U.S. National Cybersecurity Strategy, which notes that “our strategic environment requires modern and nimble regulatory frameworks for cybersecurity tailored for each sector’s risk profile, harmonized to reduce duplication, complementary to public-private collaboration, and cognizant of the cost of implementation.”

Version 2.0 references the following existing and evolving resources:

  • NIST Privacy Framework
  • NICE Workforce Framework for Cybersecurity (SP 800-181)
  • Secure Software Development Framework (SP 800- 218)
  • Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (SP 800-161r1)
  • Performance Measurement Guide for Information Security (SP 800-55)
  • Integrating Cybersecurity and Enterprise Risk Management (NIST IR 8286) series
  • Artificial Intelligence Risk Management Framework (AI 100-1)

The CSF 2.0 can be associated with existing federal, state and local standards and regulations, like the Cybersecurity and Infrastructure Security Agency (CISA) Cyber Performance Goals (CPGs), or the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards, for example. An initial public draft of the NIST SP 800-82 Rev. 3, “Guide to Operational Technology (OT) Security) was also released in April 2022. This guide specifically relates many of the NIST CSF categories to the scope of OT and ICS, including deeper assessment for OT risk management, recommended practices, and architectures.

Lie: NIST CSF 2.0 is Increasingly Prescriptive

Per the 2.0 draft, “the Framework does not prescribe how outcomes should be achieved.” The revision includes hundreds of relevant Implementation Examples – actions, activities, and measures taken to introduce security policies and controls per subcategory within each function, organized by category. For example, “constantly monitor networks to detect new hardware and automatically update inventories” is an Implementation Example for the Function: Identify, Category: Asset Management, Subcategory 01: “inventories of hardware managed by the organizations are maintained.”

Implementation Examples are meant to be action-oriented processes to achieve CSF Subcategories in an effort to produce more enhanced security outcomes and more defensible organizations. Organizations would be remiss to think the Implementation Examples must perfectly match their operations to be useful. They should be chosen based on maturity, existing strategies and mitigations, criticality and resource constraints. The current examples and references are open for industry and stakeholder feedback.


As a global solution provider of industrial cybersecurity products, we have witnessed robust implementation of the NIST CSF since our founding in 2013, with national and international customers widely adopting the Frameworks’ Categories and Subcategories to outline and guide risk management programs. Nozomi Networks commends the National Institute of Science and Technology (NIST) for its continued efforts to equip global industries with consistent and coherent guidance and reference material for cybersecurity activities, goals, and risk management priorities.

The Cybersecurity Framework represents a pillar in the cybersecurity community, and it is incredibly important to underscore the broad applicability and utility of the CSF to date. Working primarily with owners and operators with a wide array of industrial control systems and operational technologies, we see a vital role to identify, protect, detect, respond, and recover from cyber incidents based on deep understanding of legacy technology and asset inventories, vulnerability mapping and management, threat intelligence and detection, and broader situational awareness and anomaly detection for data rich, information poor environments.

As all sectors strive to close cybersecurity gaps, reorient change management, and drive holistic cybersecurity coverage across industrial and hyper-connected organizations, there are four focused investments that cover the outcomes outlined in NIST CSF 2.0:

Category 1 – Network Visibility

You can’t protect or investigate components without knowing their status. Assets cannot be protected without the necessary visibility into their day-to-day functionality.

Category 2 – Vulnerability Management

Vulnerabilities do not always come with adequate, timely, and feasible patches and updates. It’s more important than ever to understand existing vulnerabilities in the context of your networks and operations.

Category 3 – Cyber Threat Intelligence

Threat actors are targeting OT and ICS. It is necessary to track and map threat actors, ransomware and commodity malware, and zero days that continue to threaten operational technology and critical infrastructure.

Category 4 – Increased Situational Awareness

Components and connections continue to increase with multiple vendor systems and integrations. Behavioral analysis is a solution for gaining better situational awareness for contextual real-time changes and deviations for proactive security.