THE EVOLUTION OF CYBER RISK MANAGEMENT THROUGH THE PRISM OF THE NIST CYBERSECURITY FRAMEWORK
DOI:
https://doi.org/10.28925/2663-4023.2025.30.980Keywords:
NIST CSF 2.0, cybersecurity, risk management, information security, cybersecurity policy.Abstract
The article provides a comprehensive analysis of the evolution of the NIST Cybersecurity Framework from its initial version 1.0 to the current version 2.0. It highlights the background to the creation of the framework, its place in international practice, and its key role in improving the cyber resilience of organizations of all sizes, from small companies to global corporations and government agencies. It examines in detail the features of previous editions, in particular CSF 1.0, which laid the foundation in the form of five basic functions (Identify, Protect, Detect, Respond, Recover), and CSF 1.1, which clarified approaches to risk management in supply chains and made the framework more applicable. It is shown that the transition to CSF 2.0 in 2024 was a qualitative stage of development, as the new version focuses not only on technical aspects but also on strategic corporate governance. Among the key innovations are the Govern function, which formally establishes management responsibility, as well as expanded opportunities for integration with international standards, improved performance metrics, and increased focus on supply chain risk management. The specifics of the transition process for organizations to CSF 2.0 are analyzed separately. It includes analyzing the gaps between the current state of security and the new requirements, forming policies, building an implementation strategy, applying automation and Zero Trust tools, as well as training personnel. It is emphasized that successful adaptation depends on support from senior management, the formation of a security culture, and continuous improvement of procedures. The article also considers the Ukrainian context, where the implementation of CSF 2.0 is supported at the state level by the State Service of Special Communications and Information Protection of Ukraine and with the participation of international partners. The practical value of the study lies in the possibility of using its conclusions and recommendations to develop long-term cyber risk management strategies in both the public and private sectors.
Downloads
References
National Institute of Standards and Technology. (2014). Framework for improving critical infrastructure cybersecurity (Version 1.0). Gaithersburg, MD: NIST. https://doi.org/10.6028/nist.cswp.02122014
National Institute of Standards and Technology. (2018). Framework for improving critical infrastructure cybersecurity (Version 1.1). Gaithersburg, MD: NIST. https://doi.org/10.6028/nist.cswp.04162018
National Institute of Standards and Technology. (2023). The NIST cybersecurity framework 2.0. Gaithersburg, MD: NIST. https://doi.org/10.6028/nist.cswp.29
Teoh, C. S., Mahmood, A. K., & Dzazali, S. (2017). Is NIST CSF applicable for developing nations? A case study on government sector in Malaysia. Proceedings of the Pacific Asia Conference on Information Systems (PACIS 2017).
Ibrahim, A., Valli, C., McAteer, I., & Chaudhry, J. (2018). A security review of local government using NIST CSF: A case study. The Journal of Supercomputing, 74(10), 5171–5186. https://doi.org/10.1007/s11227-018-2479-2
Moskowitz, D., & Nichols, D. M. (2022). A practitioner’s guide to adapting the NIST cybersecurity framework. London: TSO.
White, G. B., & Sjelin, N. (2022). The NIST cybersecurity framework. In I. Management Association (Ed.), Research anthology on business aspects of cybersecurity (pp. 39–55). IGI Global. https://doi.org/10.4018/978-1-6684-3698-1.ch003
Pemmasani, P. K. (2023). National cybersecurity frameworks for critical infrastructure: Lessons from governmental cyber resilience initiatives. International Journal of Acta Informatica, 2(1), 209–218.
Hätinen, M. (2024). Evolution of cybersecurity risk management standardization: Comparison of the NIST cybersecurity framework version 1.1 and 2.0.
Parmar, M., & Miles, A. (2024). Cyber security frameworks (CSFs): An assessment between the NIST CSF v2.0 and EU standards. Proceedings of the IEEE Security Space Systems (3S) Conference, Noordwijk, Netherlands, 1–7. https://doi.org/10.23919/3s60530.2024.10592293
Edwards, J. (2024). A comprehensive guide to the NIST cybersecurity framework 2.0: Strategies, implementation, and best practice. Hoboken, NJ: John Wiley & Sons.
SecurityCompass. (2025). NIST CSF 1.1 vs. 2.0: Key differences explained. https://www.securitycompass.com/blog/nist-csf-1-1-vs-2-differences/
Zhylin, A., Belyavskyi, V., & Bakalynskyi, O. (2024). NIST CSF 2.0: Novyi freimvork z kiberbezpeky vid Natsionalnoho instytutu standartiv i tekhnolohii SShA [NIST CSF 2.0: The new cybersecurity framework from the U.S. National Institute of Standards and Technology]. Ukrainian Scientific Journal of Information Security, 30(1), 73–76. https://doi.org/10.18372/2225-5036.30.18606
Ferry, G., & Valadon, G. (2025). The Ghost Action Campaign: 3,325 secrets stolen through compromised GitHub workflows. GitGuardian Blog. https://blog.gitguardian.com/ghostaction-campaign-3-325-secrets-stolen/
Derzhavna sluzhba spetsialnoho zviazku ta zakhystu informatsii Ukrainy. (2025). Nakaz № 54 vid 30.01.2025 “Pro zatverdzhennia bazovykh zakhodiv z kiberzakhystu ta metodychnykh rekomendatsii shchodo zdiisnennia bazovykh zakhodiv z kiberzakhystu” [Order No. 54 of January 30, 2025 “On approval of basic cybersecurity measures and methodological recommendations for their implementation”]. https://cip.gov.ua/ua/docs/nakaz-administraciyi-derzhspeczv-yazku-vid-30-01-2025-54-pro-zatverdzhennya-bazovikh-zakhodiv-z-kiberzakhistu-ta-metodichnikh-rekomendacii-shodo-zdiisnennya-bazovikh-zakhodiv-z-kiberzakhistu
CSIRT of the State Research Institute of Cybersecurity Technologies and Information Protection. (2025). CSET cybersecurity assessment tool. https://csirt.csi.cip.gov.ua/uk/pages/cset
DevTools. (2025). ServiceNow GRC: Everything you need to know. https://devtools.in/blog/servicenow-grc/
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Ярина Захарова, Андрій Партика
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
