The National Institute of Standards and Technology (NIST) is updating version 1.1 of the Cyber Security Framework (CSF). Version 2.0 will be released in final form sometime in 2024, but the August 08 working draft of the CSF Core is close to its final form. In this post, I’ll cover what is changing and what these changes could mean for you and your team.
Version 1.1 of the Framework for Improving Critical Infrastructure was released in April 2018 and was aimed largely at critical infrastructure. It introduced improvements in authentication, identity management, cybersecurity risk management, supply chain risk management, and vulnerability disclosure.
What’s New in NIST CSF 2.0?
Version 2.0 expands the framework’s applicability to a broader audience and includes the following changes:
On the surface, these changes are designed to increase the accountability and effectiveness of cybersecurity programs. The increased focus on supply chain risk management and secure software development practices was long needed, and the Governance Function and continuous improvement changes will keep programs focused on risk management and adapting to changes in the threat landscape. However, in the context of other recent announcements, these changes highlight how comprehensively the government is setting a new bar for a reasonableness standard in cybersecurity.
In May 2021, the Biden administration issued Executive Order 14028, charging multiple agencies with enhancing cybersecurity, including NIST. Since then, we’ve seen updates from the Federal Trade Commission to the Safeguards Rule, the Securities and Exchange Commission’s (SEC) adoption of new risk management, governance, and disclosure guidelines, and updates to several NIST publications, including the CSF.
Together, these changes are beginning to set a clear standard for “reasonable” cybersecurity. The reasonableness standard is what agencies and courts use to determine if controls are appropriate and effective for a given environment. And, at some point soon, failure to include elements in your program could lead not only to breaches but also to things like insurance companies declining to cover breach costs and, in egregious cases, personal liability for leadership teams. The SEC’s recent lawsuit against SolarWinds, and their CISO, while focused mainly on failure to disclose and misleading statements, may indicate a shift towards more aggressive enforcement actions for lapses in controls.
What Should I Do Regarding the NIST CSF 2.0 Update?
So, what should you do? At the very least, read the draft CSF Core and consider how cybersecurity is managed in your organization. Does it have ‘top-down’ risk management strategies and ‘bottoms-up’ controls defined, measured, and regularly assessed? Does the program effectively manage risk, and do executives at the company regularly review and seek to address these risks? What measurements are you using to gauge the efficiency and effectiveness of your program? Is continuous improvement a part of your team’s mindset, and how do you show this to senior leadership and the board?
Becoming more familiar with the changes in the NIST CSF and thinking through these questions will help you be more effective in your role. Even better, having a team of CSF experts assess your environment can validate your current state.
