March 14, 2024

NIST refines Cybersecurity Security Framework, with increased focus on governance and supply chain

Stacy Hadeka, Soojin Jeong, Peter Marta, Katy J. Milner, Dan Ongaro, Paul Otto, Nathan Salminen, A.J. Santiago

Hogan Lovells

+ Follow Contact

Send

Embed

Hogan Lovells

NIST has updated its widely used Cybersecurity Framework to provide key updates and practical resources for organizations to manage and discuss cybersecurity risk. The updated framework, which remains voluntary, is designed to support organizations regardless of size, sector, jurisdiction, or maturity.

The National Institute of Standards and Technology (NIST) has published the final version of its updated foundational cybersecurity guidance, the Cybersecurity Framework (CSF) 2.0. CSF 2.0 features an expanded scope, includes a new “Govern” function, expands on supply-chain risks, and provides a library of resources to help use the framework. Organizations of all types and across all sectors can leverage the CSF 2.0 to better understand, manage, and discuss cybersecurity risk.

What is the CSF and why is it important?

NIST first published the CSF in 2014 as a landmark set of guidelines for organizations to identify, assess, and manage cybersecurity risks. At the heart of the CSF is the “CSF Core,” which provides a taxonomy of cybersecurity outcomes to help organizations assess, prioritize, and communicate their cybersecurity efforts. The CSF also includes “CSF Organizational Profiles” to help organizations identify current and target states for cybersecurity outcomes, as well as “CSF Tiers” to help organizations assess cybersecurity governance and risk management practices. The CSF was updated to version 1.1 in 2018, which included incremental updates around supply chain risk management as well as new guidance on metrics and measures for a cybersecurity program.

Although originally developed in response to an executive order to improve cybersecurity for critical infrastructure, the framework is now used by organizations across sectors to measure cybersecurity program maturity and to help manage cybersecurity risks.

The CSF remains voluntary for the private sector. Many of the largest companies around the world use the CSF to structure or influence their cybersecurity programs. Leveraging the CSF is typically seen as a means to anchor a cybersecurity program to help meet a range of legal and regulatory requirements while communicating more effectively with senior management, which may reduce regulatory and litigation risks for companies that adopt it. The CSF is also increasingly used to discuss cybersecurity risk management and maturity at the board level. And, more broadly, it can provide a sound foundation for a cybersecurity program and may help to more effectively manage cybersecurity risks.

What has changed?

With the final version of CSF 2.0, NIST has updated the CSF’s core guidance and created a suite of additional resources to better help organizations achieve their cybersecurity goals. CSF 2.0 includes one new top-level function, 11 new categories, 54 new subcategories, and revises a further 25 existing subcategories.

New focus on cybersecurity governance

CSF 2.0 includes a governance function in addition to the five core functions already in place (Identify, Protect, Detect, Respond and Recover). The new “Govern” function calls for an organization’s “cybersecurity risk management strategy, expectations, and policy [to be] established, communicated, and monitored.” NIST conceptualizes the Govern function as central to the CSF, as the function “provides outcomes to inform what an organization may do to achieve and prioritize the outcomes of the other five Functions in the context of its mission and stakeholder expectations.” Prior governance-related content in CSF 1.1 has been moved under this new Govern function.
CSF 2.0 aims to support organizations in managing and prioritizing cybersecurity risks within their entire portfolio of risk. The framework includes references to additional NIST resources to facilitate an enterprise risk management approach and to help organizations assess connections between cybersecurity risk and other enterprise risks, including financial, reputational, privacy, supply chain, and artificial intelligence risks. For example, CSF 2.0 can be used along with NIST’s Privacy Framework by leveraging the CSF’s “Detect,” “Respond,” and “Recover” functions and the Privacy Framework’s “Protect” function to manage overlapping cybersecurity and privacy risks. Similarly, CSF 2.0 can map to NIST’s AI Risk Management Framework’s “Map, Measure,” and “Manage” functions.

Emphasis on supply chain cybersecurity risk management

In CSF 1.1, NIST called for organizations to put in place appropriate response strategies, policies, processes, and procedures to manage supply chain risks with buyers and suppliers. Recognizing the risks imposed by the complex, global, and interconnected nature of supply chains, NIST CSF 2.0 has moved the cybersecurity supply chain risk management category that was previously under “Identify” to the “Govern” function. NIST recognized that supply chain risk management is often handled by stakeholders outside of the cybersecurity function, and thus may require a multi-stakeholder coordinated effort across sourcing/procurement, legal, privacy, and others. With additional subcategories, NIST emphasizes the importance of establishing cybersecurity roles for relevant third parties for cybersecurity, enterprise risk management, and incident response.

Expanded applicability to a broad range of sectors

While the CSF’s original target audience was U.S. critical infrastructure, since 2014, many of the sorts of cybersecurity threats that once were only a significant concern for critical infrastructure entities are now impacting a broader range of industries. Over the past decade, many companies in other sectors have chosen to leverage the CSF, and the updated CSF 2.0 now expressly aims to assist organizations of all types and across all sectors, regardless of their cybersecurity sophistication. The CSF’s outcomes are intended to be “sector-, country-, and technology-neutral,” providing organizations with flexibility to address their unique risk profile, size, environment, and mission considerations.

Online suite of customizable and more frequently updated resources

NIST issued updated informative references that map the six core functions to related standards, guidelines, and regulations to help organizations identify the most relevant materials, including those that are sector- or technology-specific.
CSF 2.0 also provides implementation examples that provide actionable steps to help organizations achieve target cybersecurity outcomes.
Small businesses, enterprise risk managers, and other targeted audiences can use quick-start guides that have distilled specific portions of the CSF 2.0 into initial steps to help these organizations implement improvements to their cybersecurity programs.
The new CSF 2.0 Reference Tool allows users to more easily browse and search the CSF and to export portions of it into machine-readable formats.

Next steps

CSF 2.0 remains a voluntary standard, and leveraging it can be helpful in organizing and improving a company’s security program. Use may have benefits in terms of reducing regulatory risk, litigation risk, and the frequency and impact of cybersecurity incidents. And the U.S. government’s numerous cybersecurity-related requirements increase overlap with CSF components. For example:

The new Govern function may help U.S. publicly traded companies better comply with the SEC’s new cybersecurity requirements.
The CSF’s Govern function may also complement organizations’ efforts to leverage NIST’s Privacy Framework and AI Risk Management Framework, which also contain Govern functions.
As federal agencies increasingly are holding government contractors accountable to NIST publications, companies in the government contracting space may benefit from alignment with the CSF, or even find that such alignment becomes a contract requirement.
The CSF’s new emphasis on supply chain risk management will also be impactful for the information technology and communications sectors, which are seeing cybersecurity supply chain risk management initiatives arise from multiple agencies such as the Federal Communications Commission and the Departments of Homeland Security and Commerce. It will be interesting to see if and how the CSF 2.0 is harmonized with other relevant workstreams—and organizations will need to consider how to meet their obligations under potentially overlapping regimes.

Organizations may want to reassess their cybersecurity programs in light of the CSF’s updated core guidance. Organizations that already leverage CSF 1.0 or 1.1 may wish to assess their program with the new standard, and organizations that do not currently base their program on any security framework may wish to consider leveraging CSF 2.0 as that standard. Organizations may wish to review the online suite of resources to better manage and communicate about their cybersecurity programs.

Organizations may review their current cybersecurity governance practices in particular, and assess their policies and practices against the outcomes described in CSF’s new Govern function. Benchmarking against the Govern function may be a helpful exercise as organizations update their cybersecurity disclosures to comply with the SEC’s cybersecurity disclosure requirements for public companies.

Finally, organizations might wish to revisit any public representations made regarding the organization’s use of the CSF and validate that such representations remain accurate and caveated. Regulators such as the FTC or SEC may scrutinize statements about the CSF as false or misleading, particularly in the event of a cybersecurity incident.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.