Navigating the Update: Implementing NIST CSF 2.0 in Higher Education 

Publication Date: November 15, 2024

Authors: Morgan Mincy, CPA, Manager – Baker Tilly 
Mike Cullen, CISA, CISSP, CIPP/US, CCP, Principal – Baker Tilly 

Since the National Institute of Standards and Technology (NIST) published the first version of the Cybersecurity Framework (CSF) in 2014, primarily for critical infrastructure organizations, many organizations have implemented the framework to guide and improve their cybersecurity programs. Over the last decade, evolving cyber threats and the wide adoption of the framework by most organizations has led to NIST publishing CSF version 2.0 this year.  

The higher education industry has embraced NIST CSF, and colleges and universities use the framework as a foundation for their cybersecurity programs. With numerous changes in version 2.0, institutions should develop a plan to incorporate the updated safeguards into their cybersecurity programs. 

What is NIST CSF? 

The NIST CSF is a risk-based framework that provides organizations with leading practices and guidelines to implement an effective cybersecurity program. Higher education, like many other industries, has adopted NIST because of its non-prescriptive safeguards that allow adaptability and flexibility in the complex higher education IT environment.  

Unfortunately, there is no genie in a bottle or snap of the fingers that will enable any college or university to instantly implement all NIST CSF controls and maintain a perfect cybersecurity program. Implementing NIST CSF requires time, effort, resources, and dedication to creating a strong cybersecurity program.  

To learn more about the specific changes from version 1.0 to 2.0, please read NIST publishes major revision to Cybersecurity Framework (CSF): What organizations need to know.  

Challenges of Implementing NIST CSF in Higher Education  

Higher education institutions face several challenges when implementing any framework, including NIST CSF 2.0, as the foundation for IT controls, governance and protections. Specifically, there are four common challenge areas:  

• Distribution of IT systems, people, and processes 
• Allocation of people and funding resources 
• Balancing openness with security  
• Training and awareness 

Due to the historical distribution of IT that typically occurs in higher education, driven by diverse IT needs and funding structures used to operate a modern institution, implementing any framework to align IT practices across many units and people is extremely difficult.  

Additionally, the resource shortage, including skilled personnel and funding constraints, both common issues in higher education, leaves few staff members available to implement and enforce safeguards, assuming there is even budget allocated for technological maintenance and updates.  

Another challenge of implementing any cybersecurity framework is tied to the unique mission of higher education to openly create and distribute knowledge. Specifically, for researchers and professors, there is an inherent juxtaposition of the desire to share research and information with students, other faculty, and staff within the institution, as well as with the broader academic and research community across the globe, with the need to protect university data, intellectual property, and any funded or sponsored data.  

Furthermore, the variety of stakeholders across the institution means that more people, typically the weakest link in cybersecurity, must receive basic training and awareness on cybersecurity threats and actions they need to take. This includes distributed IT personnel across departments or units, system business owners and data stewards, faculty, staff, and researchers handling sensitive or protected information. Even when controls and processes are perfectly designed, without buy-in and behavior changes from stakeholders, followed by training on relevant processes and policy requirements, successful implementation is unlikely. 

The challenges above will still exist, but NIST CSF 2.0 now includes a governance section to help organizations facilitate a consistent approach to managing cyber risks and the cybersecurity program.  

The Impact of the New Governance Section 

In contrast to NIST CSF 1.0, where aspects of governance were woven throughout but never fully encapsulated, NIST CSF 2.0 has dedicated an entire function (e.g., control family or domain) to governance, emphasizing the importance of addressing cybersecurity risks at the enterprise level with a strategic decision-making approach.  

While some of the subcategories (i.e., safeguards) existed previously, the new governance function includes updated categories (i.e., group of safeguards), such as organizational context, risk management strategy, roles, responsibilities and authorities, policy, oversight, and cybersecurity supply chain risk management. Particularly important for higher education are the categories of organizational context and roles, responsibilities, and authorities. These categories can help clarify and define roles among distributed IT resources, improving areas where responsibilities may be unclear. If not already in place, the organization context category can facilitate conversations between IT and institutional leaders to develop a holistic understanding of user expectations, legal and regulatory requirements and alignment of the institution’s mission and IT goals.  

Another benefit of the new governance section is enhanced accountability and reporting, which should help alleviate some of the administrative challenges faced by IT in higher education. With three subcategories focused on using the results of organization-wide cybersecurity risk management activities to inform and improve the strategy, IT functions will be encouraged to think strategically about how to best manage risks and identify measures to evaluate the effectiveness of those strategies. This higher-level strategic focus should encourage distributed IT leaders to align on metrics, increasing accountability and transparency across distributed units by reporting on metrics and results of risk management activities.  

While the governance section cannot solve all the common challenges in higher education, it serves as a catalyst to enhance the communication and alignment of IT operations.  

Other changes in NIST CSF 2.0 

As noted above, the governance section is a key difference in the new version, but there are other updates and additions to pay attention to prior to starting an audit – such as the addition of new NIST categories. The following are new or updated categories introduced in NIST CSF 2.0:  

• ID.IM – Improvement  
• PR.AA – Identity, Management, Authentication and Access Control 
• PR.PS – Platform Security  
• PR.IR – Technology Infrastructure Resilience  
• RS.MA – Incident Management  
• RC.RP – Incident Recovery Plan Execution  

For example, PR.IR – Technology Infrastructure Resiliency is a new category focused on ensuring that security architectures are managed using the organization’s risk strategy to protect its assets, systems, and data. While this may have been implied in the previous version, NIST CSF 2.0 explicitly emphasizes the importance of redundancy to ensure that backup systems or components are in place to maintain continuous operations and minimalize downtime, aligning with modern security architecture best practices.  

Beyond the governance section and new categories, NIST CSF 2.0 also offers an expanded scope, making it more applicable and adaptable to all organizations, rather than focusing solely on critical infrastructure. This includes enhanced guidance for integrating with other frameworks (e.g., the NIST Privacy framework), updated protection controls to align with modern technology (e.g., cloud platforms, multi-factor authentication) and revamped response and recovery functions to better address cybersecurity incidents.  

These updates, along with the governance section and new categories, promote proactive adoption and continuous improvement of cybersecurity practices to better protect an institution’s assets and information.  

Auditing with NIST CSF 2.0 in Higher Education 

Since NIST CSF 2.0 was only recently published, when should institutions be ready for an audit using this framework? This will depend on each institution’s unique environment. However, starting with a gap assessment can be a great way to jumpstart the implementation. It can help IT identify which controls are already implemented and functioning well and where gaps or weaknesses exist in the cybersecurity program.

As discussed earlier, a challenge with implementing NIST CSF 2.0 or any framework in higher education is the distribution of IT. For this reason, when starting on a NIST CSF 2.0 gap assessment or audit, it is important to scope the project appropriately. Controls can be implemented at the enterprise level, the department level, or a hybrid of both. Part of scoping will involve determining whether specific departments should be evaluated and who is responsible for owning and implementing each control process.  

To fully assess an institution’s cybersecurity protections, any audit or assessment should evaluate distributed IT departments, or at least a sample of units. Evaluating both centralized IT and distributed IT units provides detailed results, helping identity gaps and strengths across the institution, thus offering a more complete view of the cyber risk landscape.  

Next Steps to Take  

Institutions should take strategic action to address the updates in NIST CSF 2.0. Potential next steps include:  

• Convene relevant stakeholders (e.g., information security, audit, distributed IT, IT governance) to discuss adopting NIST CSF 2.0.  
• Develop a road map to implement or improve cybersecurity safeguards based on NIST CSF 2.0. 
• Perform an assessment or audit of the cybersecurity program using NIST CSF 2.0.  
• Update cybersecurity safeguards based on gaps and recommendations identified by the assessment or audit. 

For more information about NIST CSF 2.0, or to learn how Baker Tilly’s higher education cybersecurity specialists can help your institution, contact our team.