Earlier this year, the National Institute of Standards and Technology (NIST) issued an update to its Cybersecurity Framework (CSF) with the release of version 2.0, the first update since April 2018 (version 1.1). While the core components of CSF remain, there are two thematic changes: CSF 2.0 (1) no longer applies just to critical infrastructure organizations, but rather explicitly aims to assist all organizations in managing and reducing risks across industries and sectors, regardless of their cybersecurity sophistication; and (2) adds “Govern” as a sixth core function, alongside Identify, Protect, Detect, Respond, and Recover. CSF 2.0 also contains significant additions and a refocus on cybersecurity supply chain risk management (C-SCRM), which is not all too unsurprising given organizational reliance on third party vendors and supply chain attacks.
Applicability of CSF 2.0 to All Organizations. CSF 2.0 shifted away from applying to only critical infrastructure organizations to all organizations, regardless of industry, size, and cybersecurity maturity. The update shifts away from providing one-size-fits-all guidance towards an evolutionary model – one that encourages ongoing program improvement to suit the unique needs of each organization. Creating a culture focused on ongoing improvement is essential as the cyber threat landscape rapidly evolves.
The New “Govern” Function. The addition of Govern to CSF 2.0 emphasizes the importance of cybersecurity as one core component of an organization’s broader enterprise risk management strategy, as it elevates cybersecurity programs to both the C-suite and Board-level, alongside finance and reputational risks. The Govern function encompasses the roles, duties, authority, policy, oversight, and understanding of context within organizational risk management. To enhance recovery and resilience, Govern highlights how organizations strategize and implement cybersecurity programs and recognizes these decisions as a critical factor in holistically managing enterprise, financial, and reputational risks. These changes reflect companies’ increased legal and regulatory obligations for transparency and accountability in the event of cyber-attacks. Organizations should consider the interplay between the new Govern function and the SEC’s new Cybersecurity Disclosure Rule, which stresses increased involvement from executive management and/or the Board in cybersecurity via both disclosing a “material cybersecurity incident” via Form 8-K and organization’s quarterly Form 10-K disclosures.
Supply Chain Risk Management – An Increasingly Critical Focus. CSF 2.0 expands on and emphasizes the importance of C-SCRM, which NIST acknowledges is increasingly complex, globally distributed, and involve multiple levels of outsourcing. NIST categorizes the majority of C-SCRM under the Govern function (see the “Cybersecurity Supply Chain Risk Management” Category – GV.SC), suggesting that more must be done from the top to mitigate the heightened risk posed by expanded supply chain risks. NIST also added certain C-SCRM outcomes related to third-party due diligence, assessing the criticality of business partners, and address risks posed by third-party suppliers throughout the lifecycle of the relationship.
NIST created a suite of resources to help organizations achieve its cybersecurity goals, including the CSF 2.0 Reference Tool – a searchable, machine-readable, exportable version to help organizations consume the new framework, Implementation Examples – intended to illustrate and provide examples of how organizations may employ subcategories, as well as a Quick Start Guide – to help organizations operationalize the framework. As many organizations rely on NIST CSF as a baseline for its cybersecurity framework, these organizations should also review CSF 2.0 and consider how to best incorporate these changes into its cybersecurity activities, and broader enterprise risk management program. And particularly given NIST’s intentionally flexible approach, not tying its framework to any regulation(s) or offering tangible instructions of how to implement the framework, companies should consider developing a Community Profile to view and understand how other organizations are also implementing CSF 2.0.