What is the CSF and why is it important?

The CSF, first published in 2014 and last updated in 2018, is a set of guidelines developed by NIST for understanding, managing, reducing and communicating cybersecurity risks. The CSF is used broadly within the federal government (and its contractors) and, although it is voluntary for the private sector, it has been yielding more influence throughout industry. Businesses may view the CSF as an important baseline for cybersecurity program measurement and a helpful tool in managing cybersecurity risks. Board members are increasingly encouraged to seek updates on the state of management’s cybersecurity program through the lens of the CSF – and in particularly, publicly traded companies in the US may look to the CSF to help explain their cybersecurity program and risk management activities in response to the new SEC final rule. Courts may use the CSF to inform the applicable standard of care for certain organizations, and some regulators have mapped their own cybersecurity rules to the CSF.

NIST’s release of the draft CSF 2.0 is the final opportunity for interested parties to submit feedback on the text before the document is finalized in early 2024. See our previous discussionon NIST’s Journey to CSF 2.0.

What is changing?

NIST has released a draft Version 2.0 of the CSF which makes updates to Version 1.1 based on feedback from industry stakeholders, nonprofits, government, individuals, and academics. A summary of the changes follows.

• Emphasis on cybersecurity governance, cybersecurity supply chain risk management, and recovery.

  • The CSF previously described the main pillars of a successful and holistic cybersecurity program using five main functions: identify, protect, detect, respond and recover. The draft adds a sixth function, the govern function, which covers how an organization can make and execute its own internal decisions to support its cybersecurity strategy.

  • Updated guidance reflects the latest NIST guidance and practices related to cybersecurity supply chain risk management and secure software development.

  • The recovery function has had several new subcategories regarding backups and restoration activities.

  • The focus on people, process, and technology is expanded throughout the implementation of the CSF.

• Additional guidance on CSF implementation and tailoring for risk.

  • The draft provides improved and expanded guidance on implementing the CSF, especially for creating profiles, which tailor the CSF for particular situations.

  • The draft also includes implementation examples for each function’s subcategories to help organizations, especially smaller firms, use the CSF effectively.

  • One theme in both the revised and new controls is that CSF 2.0 features "risk acceptance" explicitly stated and greater discussion of "risk prioritization" and using safeguards "commensurate with risk."

• Additional information on cybersecurity measurement and assessment.

  • Version 2.0 clarifies the Framework implementation tiers to focus on cybersecurity governance, risk management, and third-party considerations.

  • The importance of continuous improvement is emphasized through a new Improvement Category in the Identify Function, as well as improvements in guidance on developing and updating Profiles and action plans.

• References to related documents and resources.

  • NIST added internal references to the recent external publications including the NIST Privacy Framework, NICE Workforce Framework for Cybersecurity, Secure Software Development Framework, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, Performance Measurement Guide for Information Security, Integrating Cybersecurity and Enterprise Risk Management series, and the Artificial Intelligence Risk Management Framework.

• Expanded geographic scope.

  • The CSF’s original emphasis on securing U.S. critical infrastructure has been modified to focus on organizations all around the world to reflect the guidance’s broad and international use. This includes reference to other international frameworks.

Next steps

NIST has requested feedback on the draft CSF 2.0, specifically on whether the draft (1) addresses organizations’ current and anticipated future cybersecurity challenges; (2) aligns with leading cybersecurity practices and guidance resources; and (3) reflects public feedback provided on the CSF so far. NIST also requests ideas on how to best manage the transition from Version 1.1 to Version 2.0 and encourages suggestions for improvements to the draft. NIST will host a workshop on the draft on September 19-20, 2023, with options for virtual and in-person attendance.

This is the last opportunity to provide written input on Version 2.0, as NIST has stated that it has no plans to release another draft for comment. Stakeholders and interested parties can submit comments via cyberframework@nist.gov on or before Friday, November 4, 2023. All comments will be posted publicly on NIST’s CSF Version 2.0 webpage. NIST expects to release the finalized CSF Version 2.0 in early 2024.

Organizations are well advised to consider how the CSF updates may affect their own cybersecurity program assessment, evaluation, and reporting efforts, including in Board-level communications around the strength and maturity of the cybersecurity program and associated controls.