Governance, zero trust, and data-in-use: What you need to know about NIST CSF 2.0

Governance, zero trust, and data-in-use: What you need to know about NIST CSF 2.0
Bobbie Chen
Senior Product Manager
Published on
Apr 25, 2024
NIST recently released version 2.0 of their Cybersecurity Framework (CSF), the first major update since 2014. It’s a dense 32-page successor to the 55-page CSF 1.1 document, so I summarized the changes for you: as a security practitioner, what do you need to know?

NIST recently released version 2.0 of their Cybersecurity Framework (CSF), the first major update since 2014. It’s a dense 32-page successor to the 55-page CSF 1.1 document, so I summarized the changes for you: as a security practitioner, what do you need to know?

What is the NIST Cybersecurity Framework?

The National Institute of Standards and Technology (NIST) is a US government agency that develops standards to support innovation and industry. The NIST Cybersecurity Framework helps organizations reduce cybersecurity risks by providing common language and guidance.

In 2021, Statista reported that 47% of surveyed organizations worldwide used the NIST CSF as part of their controls. Although the NIST Cybersecurity Framework is only mandatory for US federal agencies, it is also widely used in industry. Enterprises as varied as JPMorgan Chase, Amazon, Pfizer, and the US Department of Defense (DoD) all use the NIST CSF, and will often require similar controls for any partners or vendors. That’s why it is important to understand the changes in version 2.0 of the NIST CSF.

In version 2.0, the NIST CSF expands its scope from critical infrastructure to all organizations. It also features improvements that reflect feedback from practitioners as well as changes in the cybersecurity landscape. At a glance, there are a lot of changes, but on a closer look many of them are shuffling around or rephrasings of the old concepts. 

Here are four notable changes to pay attention to: 

  • Governance
  • Supply chain risk 
  • Zero trust
  • Data-in-use

Governance gets dedicated attention

The original CSF Core included five main groups to categorize cybersecurity outcomes: Identify, Protect, Detect, Respond and Recover. CSF 2.0 adds Govern, which recommends that “The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.”

This is not entirely new content. Many of the subcategories of the Govern group were actually included in previous versions of the CSF under Identify. But the extra attention makes a difference: Governance is acknowledged as a first-class concern, which is separate from the work of identifying risks and breaches. 

By separating out the Govern function, NIST emphasizes the intended role of cybersecurity within an organization. Rather than being a gatekeeper or box-ticker, cybersecurity should be deeply integrated into an organization. In order to govern, cybersecurity practitioners need to communicate clearly with other stakeholders and be able to define and enforce policies. 

Increased risk management for cybersecurity supply chains

When someone says “cybersecurity supply chain risk”, we often think of incidents like Log4J or the terrifyingly-subtle `xz` backdoor from last week, and rush to lock down dependency management or prevent typosquatting attacks. But the NIST CSF has always been clear that the cybersecurity supply chain extends beyond software packages, and CSF 2.0 adds even more content.

Just like the supply chain of the physical world, the cybersecurity supply chain includes the entire ecosystem of suppliers, integrators, vendors, and partners. Does your risk management posture include the risk of insider threats from your own systems integrators or direct employees? How about breaches of your vendor that supplies source code management or CI/CD pipelines?

As part of the new release, NIST has created a Quick Start Guide for Cybersecurity Supply Chain Risk Management (C-SCRM) that provides a high-level overview of the process. For more in-depth guidance, NIST SP 800-161 is the 300-page super-guide for implementing C-SCRM. 

I predict that NIST’s guidance will influence existing and future standards like the Cybersecurity Maturity Model Certification (CMMC), which is required for any vendor selling to the US DoD. It also echoes regulation like the European Union’s Digital Operational Resilience Act (DORA) and the United Kingdom’s PRA SS2/21, which both mandate vendor risk management for financial institutions, and will influence future risk management regulation.

Zero trust is mainstream

Today in 2024, ten years after the first version of the CSF was published, there are a lot more enterprises using the cloud and employees working remotely - it makes sense that zero trust should make an appearance. But a quick “Cmd-F” of the NIST CSF 2.0 doc will not find a single mention of “zero trust”, so what am I talking about?

“Zero trust” states that you should not implicitly trust users or service identities just because they originate from a particular device or are connected to a specific network. Instead, authentication and authorization is always needed to confirm identities and their permissions. 

Back in 2014, version 1.0 of the CSF had some items that implied trust based on the environment alone. For example, PR.AC-5 explicitly mentioned network segregation as a way to protect “network integrity”. That has completely disappeared in CSF 2.0; the closest item now is PR.IR-01: “Networks and environments are protected from unauthorized logical access.” 

I see this as a signal that zero trust is mainstream. Looking at the CSF 2.0’s PR.AA section, each subcategory emphasizes zero trust principles: the importance of authenticating user and service identity, verifying identity assertions and credentials, and managing the associated access policies. The ideas have won; the buzzword “zero trust” no longer needs to be said.

Data-in-use is a rising concern

Finally, the NIST CSF 2.0 mentions data-in-use through PR.DS-10: “The confidentiality, integrity, and availability of data-in-use are protected.” This item joins PR.DS-1 (at-rest) and PR.DS-2 (in-transit), completing the holy trinity of data protection. 

Data-in-use refers to data that is present in memory while it is being processed by an application. By default, this data is in cleartext, leaving it vulnerable to memory-scraping or memory-dumping attacks. As I’ve previously mentioned, these attacks are not theoretical; they are exploited in the wild today, including by state-sponsored actors, according to the US Cybersecurity and Infrastructure Agency.

Previously, data-in-use was considered to be impractical to protect, and it was an accepted risk. You could use mitigating controls like access control policies and disabling swap memory to reduce your risk, but ultimately these mitigations could be bypassed. 

The inclusion of data-in-use in CSF 2.0 shows that it is time to face the problem head-on. It is now practical to protect data-in-use directly, using techniques like Confidential Computing. NIST joins organizations like the United Kingdom’s National Cyber Security Centre (NCSC) and the Monetary Authority of Singapore, who all recommend that organizations protect data-in-use. 

How Anjuna helps you meet CSF 2.0 standards

Now let’s go in reverse order:

Protecting data-in-use: Anjuna Seaglass is the first and only Universal Confidential Computing Platform. You can protect your data-in-use using secure enclaves in just minutes, in any major cloud or on-premises, with no code changes. Confidential Computing is the most practical way to protect data-in-use (yes, better than fully-homomorphic encryption or zero-knowledge proofs), and we have been making it easy for enterprises to secure their applications and data since 2018. 

Zero trust: Anjuna Seaglass enables the pinnacle of zero-trust authentication: cryptographic remote attestation. By using Anjuna Seaglass, you can use the hardware-backed “fingerprint” of the exact application code for service authentication, instead of dealing with easily-stolen certificates or tokens.

Risk management: Anjuna Seaglass stops insider threats using Confidential Computing. That’s why our customers are able to safely migrate to the cloud and use AI for data collaboration with partners: the risk of insider threats at the cloud service provider or partner are mitigated using Anjuna Seaglass.

Governance: Anjuna Seaglass directly improves governance through the Anjuna Policy Manager (APM), which ensures that only trusted code can access sensitive data through application-level trust policies. In our role as trusted advisors, we also help organizations improve their overall security posture; in any large enterprise, we meet key stakeholders in Architecture Review Boards (ARBs) or Centers of Excellence (CoE) and help them understand how Confidential Computing fits into their existing and future strategy. 

In conclusion, the NIST CSF 2.0 brings several major improvements over the previous iteration, including major themes of governance, supply chain risk, and zero trust; and a mention of the rising importance of securing data-in-use. These changes reflect the world of 2024 and will influence other security standards worldwide. 

The guidance of NIST CSF 2.0 aligns with what Anjuna can offer you, because we have invested years of work to meet the security needs of our customers. To learn more about Anjuna and our Seaglass platform, you can schedule a live demo or for more hands-on technical folks, sign up for our free trial.

More like this
Get Started Free with Anjuna Seaglass

Try free for 30 days on AWS, Azure or Google Cloud, and experience the power of intrinsic cloud security.

Start Free