The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the United States Chamber of Commerce that promotes standards, measurements, and technology to enhance economic competitiveness and support national security.
NIST plays a crucial role in the promotion of responsible cybersecurity and information-security practices across the United States. In 2014, NIST published its Cybersecurity Framework (CSF), which companies and government agencies use as a guidance document for mitigating IT and security risk.
In February 2024, NIST released a major update to the original CSF document. The new 2.0 edition of the CSF aims to provide a blueprint for all audiences, across industries and organization types, regardless of their current level of cybersecurity proficiency. This revision is the result of years of discussion and public analysis conducted to strengthen the effectiveness of the framework.
What’s new with NIST CSF 2.0?
The biggest change companies will recognize is the introduction of “govern” as the sixth pillar within the CSF framework. This expansion from the original five pillars of identify, protect, detect, respond, and recover shows a shift in attitude to a focus on strategic risk management and the growing relevance of cybersecurity within the business context.
Additional changes within NIST CSF 2.0:
- CSF 2.0 Reference Tool: This newly introduced reference tool provides a simpler way to implement the guidelines outlined by the CSF, allowing companies to browse, search, and export information from the CSF in human- and machine-readable formats.
- A focus on modern issues: In response to the changing nature of cybersecurity threats, the new version of the CSF highlights practices that can best mitigate newer risks. This includes emphasis on cloud security, identity and access management (IAM), privilege access management (PAM), supply chain risks, and threats associated with artificial intelligence.
- Continuous revisions: Version 2.0 of the CSF puts an emphasis on continuing to make revisions and updates to the document based on new threats and community feedback. The goal behind this is enhancing available resources and making CSF useful to an even broader audience.
- Expanded scope: While the initial NIST CSF was focused on the protection of critical infrastructure, primarily referencing financial institutions, energy suppliers, and healthcare organizations, the updated NIST CSF 2.0 seeks to expand its scope to include all companies regardless of industry and size.
An increased emphasis on identity
The increased prevalence of identity-based attacks is hard to ignore. A 2023 CrowdStrike report found that 80% of malicious attacks involved compromised identity and credentials, and 77% of the security leaders surveyed for ConductorOne’s 2024 Identity Security Outlook Report said their organization suffered a cyberattack or data breach in the past year due to improper access or overprivileged users. So it’s no surprise that the recent NIST CSF update has an added focus on identity and access management. This showcases a shift in recognition of IAM and PAM as key security imperatives necessary for strengthening the security posture of organizations of all types.
IAM systems are essential in ensuring that only the right individuals have access to critical resources and entitlements within an organization. Adopting the right IAM policies enables companies to effectively manage digital identities—which can range from employee and customer identities to non-human entities such as devices and automated services—and secure against data breaches without sacrificing worker productivity, all while maintaining compliance with various frameworks and regulations.
As the number of managed identities within an organization continues to grow, so does the number of access privileges that need to be managed. With increasing SaaS and IaaS usage and numerous access types, identifying and removing overprivilege is a challenge many companies are struggling to solve for. Incorporating effective PAM solutions, including just-in-time (JIT) access, can help mitigate the risks associated with overprivilege through monitoring, auditing, and time-bound control of user access, helping organizations enforce the principle of zero standing privileges.
NIST CSF 2.0 and ConductorOne
ConductorOne’s mission is to help companies secure identity regardless of what their access environment looks like or their current cybersecurity proficiency. We help our customers improve their security posture by automating access control and governance workflows and enabling time-based access.
Access Reviews: Using ConductorOne’s automated access reviews, customers can audit end-user access to cloud and on-prem apps and infrastructure with more accuracy and frequency, allowing teams to better manage risks associated with overprivileged and other high-risk access.
Access Controls: Effective, efficient access controls are essential for managing user access to privileged resources and permissions. ConductorOne makes it possible for customers to enforce just-in-time (JIT) access to any resource, which ensures users can get the access they need for as long as they need it while eliminating longstanding access to sensitive information.
Access Fabric: ConductorOne’s innovative data model provides full visibility into identity and access across all systems and infrastructure, allowing teams to easily surface access risks and exert access controls across their environment from one platform.
To learn more about ConductorOne and how we help companies align with the NIST CSF 2.0, explore our website or chat with us.
