On February 26, 2024, the U.S. National Institute of Standards and Technology (“NIST”) published version 2.0 of its Cybersecurity Framework. Originally released in 2014 and updated in 2018 and now 2024, the NIST Cybersecurity Framework (“CSF” or “Framework”) “offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts.” Globally, organizations, industries, and government agencies have increasingly relied upon the Framework to establish cybersecurity programs and measure their maturity. NIST had proposed some potentially significant updates to the Framework in a Concept Paper published on January 19, 2023, which this Version 2.0 follows.
Significant Updates. The CSF 2.0 incorporates some significant updates to the Framework, including:
- Expanded Application – Although the original Framework was developed to address critical infrastructure cybersecurity risks, the Framework has become much more widely used in practice, including internationally. CSF 2.0 recognizes this broader scope of the Framework and acknowledges that it “is designed to be used by organizations of all sizes and sectors, including industry, government, academia, and nonprofit organizations, regardless of the maturity level of their cybersecurity programs.”
- New “Govern” Function – The original five functions of the Framework – Identify, Protect, Detect, Respond, and Recover – have been expanded to include a new, sixth function: Govern. The new Govern function looks to whether an “organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.” In particular, the function “addresses an understanding of organizational context; the establishment of cybersecurity strategy and cybersecurity supply chain risk management; roles, responsibilities, and authorities; policy; and the oversight of cybersecurity strategy.” According to NIST, “[t]he governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation.”
- Increased Focus on Cybersecurity Supply Chain Risk Management (“C-SCRM)” – As part of the Govern function, the CSF 2.0 includes a category on C-SCRM, which expands upon the C-SCRM category that was previously outlined in the Identify function of the CSF 1.1 (ID.SC). Overall, the C-SCRM category looks to whether an organization’s “[c]yber supply chain risk management processes are identified, established, managed, monitored, and improved by organization stakeholders.” For example, some of the C-SCRM subcategories address whether C-SCRM is integrated into an organization’s cybersecurity and risk management processes, whether an organization performs due diligence to reduce risks before establishing supplier relationships, and whether suppliers’ performance is monitored throughout the technology or service life cycle, among other aspects.
- New Reference Tools – Along with the CSF 2.0, NIST has released additional tools and resources to assist organizations with implementing the Framework, such as new Implementation Examples. In particular, NIST has published new Quick Start Guides “designed for specific types of users, such as small businesses, enterprise risk managers, and organizations seeking to secure their supply chains.” For example, NIST has released a C-SCRM Quick Start Guide that outlines how to use the Framework to establish and operate a C-SCRM capability. Similarly, NIST has published an Enterprise Risk Management Quick Start Guide that provides an introduction into “planning and integrating an enterprise-wide process for integrating cybersecurity risk management information[.]” Separately, NIST has also released a new CSF 2.0 Reference Tool that allows users to explore the Framework functions, export sections for reference, and filter for Informative References that “show the connection between the CSF 2.0 and other cybersecurity frameworks, standards, guidelines, and resources.”
Looking Ahead. Following the publication of the CSF 2.0, NIST has stated that the Implementation Examples and the Informative References “will be updated more frequently than the rest of the Core.” These resources will be published and maintained online.