Add Support for NIST CSF 2.0 Benchmark

[andy-werderman]

Is your feature request related to a problem? Please describe. Nope, just an enhancement to current functionality.

Describe the solution you'd like Implementation of the new NIST CSF 2.0 Benchmark (updated from the current v1.1).

Describe alternatives you've considered None

Additional context NIST released a new version of the CIS benchmark in February. According to the links below, it seems the updates mostly reorganize existing controls as well as introduce a small few. In addition, the new controls seem to mostly be things handled outside of aws api calls. Most of the work here will probably be determining what needs to be done.

See slack thread in links below.

Related Links

• https://www.nist.gov/cyberframework/faqs (contains a comparison of 1.1 vs 2.0)
• https://csrc.nist.gov/Projects/cybersecurity-framework/Filters#/csf/filters (give the page ~10 seconds to load the contents)
• slack thread: https://turbot-community.slack.com/archives/C06MZTFN90E/p1724779878222779

[khushboo9024]

@andy-werderman Thanks for raising the issue.

We investigated from our end and found that Audit Manager has not yet published the NIST CSF 2.0 Benchmark. We strictly adhere to AWS Audit Manager.

Additionally, we were not able to find any relevant documentation with controls mapping for the NIST CSF 2.0 Benchmark.

Please let us know if you have any references for the controls. Thanks.

[andy-werderman]

We investigated from our end and found that Audit Manager has not yet published the NIST CSF 2.0 Benchmark. We strictly adhere to AWS Audit Manager.

Ah that makes sense! I wasn't aware.

Additionally, we were not able to find any relevant documentation with controls mapping for the NIST CSF 2.0 Benchmark.

I think the documentation you are talking about is a mapping from the NIST CSF 2.0 benchmark control --> an actual control in the aws compliance mod, is that right??

I'm not aware of any documentation like that either.

All I know of is:

• the full list of NIST CSF 2.0 controls (give the page some time to load all of the controls ~5-10 seconds)
• xlsx of the controls
• xlsx of difference between 1.1 vs 2.0
• NIST CSF 2.0 FAQ

I should note that a lot of the controls are vague and in my mind wouldn't directly point to a specific API call or check in AWS. Only a subset could be verified by API calls to AWS.

[andy-werderman]

I reached out to my company's AWS rep to ask about their support for NIST CSF 2.0. Here was his response:

I’ve heard back from the product team. Under NDA I can tell you that they have paused onboarding new frameworks until after re:Invent. I have added your influence to the request for NIST CSF v2.0 for when the team picks up the next round of frameworks.