Clifton, NJ - April 10, 2024 - Today, the Cybersecurity Coalition for Education and Advisory Council is excited to announce the immediate availability of the following:

  • Cybersecurity Rubric 2.0
  • Updated training on Cybersecurity Rubric 2.0
  • Updated training for Certified Cybersecurity Rubric Evaluators (CCREs) related to Cybersecurity Rubric 2.0

Background

The Cybersecurity Rubric self-assessment toolkit and related training were created and released in April 2023. These resources are based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) v1.1, which was released in 2018.

After many months of public comments and improvements, the National Institute for Standards and Technology (NIST) released the Cybersecurity Framework 2.0 (CSF 2.0) on February 26, 2024. The update clarified some of the existing CSF categories and added a new governance category to the framework. Through this update, CSF 2.0 better connects organizational leadership with cybersecurity risk management, an essential shift as cybersecurity continues to be a growing concern at the cabinet level and in board rooms.

The Cybersecurity Coalition for Education contributed to the development of these CSF 2.0 improvements and immediately incorporated them into our work and resources.

What's New With CSF 2.0?

There are two main changes from v1.1 to v2.0

Change #1: Addition of the Govern Function

NIST organizes the Cybersecurity Framework into a hierarchy of 'Functions' and ‘Categories.' CSF v1.1 had five functions: Identify, Protect, Detect, Respond, and Recover. CSF v2.0 added a sixth function called 'Govern,' which is intended to impact all other functions.

We believe adding a governance function appropriately matches the reality of increased interest and investment from senior leadership in building a strong cybersecurity culture from the top down.  

NIST Framework Upgrade Graphic

Function Definitions

  1. GOVERN: Establish and monitor the organization's cybersecurity risk management strategy, expectations, and policy.
  2. IDENTIFY: Determine the current cybersecurity risk to the organization.
  3. PROTECT: Implement safeguards to prevent or reduce cybersecurity risk.
  4. DETECT: Identify and analyze possible cybersecurity attacks and compromises.
  5. RESPOND: Describe actions taken regarding a detected cybersecurity incident.
  6. RECOVER: Address restoring assets and operations impacted by a cybersecurity incident.

Change #2: Modifications to Some Categories

When placed side by side, you can clearly see the addition of the Govern function, but you'll also notice that several other categories were slightly changed as well. These changes reflect NIST's goal of making the CSF more easily adopted by a broader community of leaders and industries.

We support these improvements and feel they make CSF 2.0 an even better framework for K12 organizations because now the concepts behind the categories are more universally understood.

CSF 1.1
Function Category
Identify Asset Management
Business Environment
Governance
Risk Assessment
Risk Management Strategy
Supply Chain Risk Management
Protect Identity Management and Access Control
Awareness and Training
Data Security
Information Protection Processes and Procedures
Maintenance
Protective Technology
Detect Anomalies and Events
Security Continuous Monitoring
Detection Processes
Respond Response Planning
Communications
Analysis
Mitigation
Improvements
Recover Recovery Planning
Improvements
Communications
CSF 2.0
Function Category
Govern Organizational Context
Risk Management Strategy
Roles, Responsibilities, and Authorities
Policy
Oversight
Cybersecurity Supply Chain Risk Management
Identify Asset Management
Risk Assessment
Improvement
Protect Identity Management, Authentication, and Access Control
Awareness and Training
Data Security
Platform Security
Technology Infrastructure Resilience
Detect Continuous Monitoring
Adverse Event Analysis
Respond Incident Management
Incident Analysis
Incident Response Reporting and Communication
Incident Mitigation
Recover Incident Recovery Plan Execution
Incident Recovery Communication

What's New With Cybersecurity Rubric 2.0

The Advisory Council and the Coalition's instructional design team worked closely together, and we are thrilled to release new versions of all the following:

  • Cybersecurity Rubric 2.0: (all three editions: Google Sheets, Excel, and PDF)
    • Updated with the new Govern function and all category modifications
  • On-demand Cybersecurity Rubric 2.0 training modules
  • New Q&A format scoring guide to help self-assessors complete the rubric
    • This resource helps professionals more accurately score their organization on the rubric

These resources all continue to be available at no cost to schools worldwide.

What's New With Certified Cybersecurity Rubric Evaluator (CCRE)

The Advisory Council and the Coalition's instructional design team worked closely together, and are thrilled to release new versions of all the following:

  • On-demand Certified Cybersecurity Rubric Evaluator (CCRE) training modules and certification

Discount codes for the $99 CCRE training course and certification exam continue to be made available to professionals around the world.

Existing CCREs are invited to complete the updated on-demand CCRE training for the Cybersecurity Rubric 2.0 at no cost.

Existing CCREs are not required to recertify with the updated Cybersecurity Rubric 2.0, as certifications are valid for two years from issuance.

Access the Cybersecurity Rubric 2.0 Today

Ready to explore the newest version of the Cybersecurity Rubric? Visit cybersecurityrubric.org/use-the-rubric.

About the Author

About the Cybersecurity Coalition for Education

ClassLink, ENA by Zayo, and SecurityStudio founded the Cybersecurity Coalition for Education to create a more accessible and effective approach to cybersecurity preparedness and training for schools. The coalition pioneered a groundbreaking approach to measuring and improving cybersecurity readiness, the Cybersecurity Rubric (CR) for Education. Along with the rubric, the coalition provides training and certification designed to guide schools to cybersecurity readiness.

Visit cybersecurityrubric.org to learn more.