NIST Cyber Framework 2.0 doubles down on governance, expands applicability
On Febuary 26, the agency released the Cybersecurity Framework 2.0, the first significant revamping of the guidance since its 2014 creation.
Over 10 years ago, in a move to improve the resilience of the U.S.’ critical infrastructure to cyberattacks, then-President Barack Obama tasked the National Institute for Standards and Technology (NIST) with creating a cybersecurity framework by working with the private sector to identify industry best practices.
Since then, that framework was only updated once, in 2018, in what was then referred to as the version 1.1.
On Feb. 26, the agency released the Cybersecurity Framework (CSF) 2.0, the first significant revamping of the guidance since its 2014 creation. The new version has a broader scope, aiming to reach businesses of all sizes, while also expanding the focus on governance for both internal and external stakeholders.
Cybersecurity professionals expect the updated version to become the “new standard” for organizations that already have sophisticated cybersecurity strategies as well as those that are just getting started, especially as federal agencies continue to hasten breaches disclosures and hold executives liable for security failures.
“Developed by working closely with stakeholders and reflecting the most recent cybersecurity challenges and management practices, this update aims to make the framework even more relevant to a wider swath of users in the United States and abroad,” said Kevin Stine, chief of NIST’s Applied Cybersecurity Division, in a media release.
Introducing the not-so new ‘govern’ function?
Perhaps the most noticeable update is the addition of the “govern” function, which joins the other five key tasks: Identify, Protect, Detect, Respond and Recover.
The addition of the governance piece aims to ensure that an organization’s cybersecurity risk management “strategy, expectations and policy” are established and monitored. In practice, the new function pushes for the clear definition of a company’s strategies, as well as its cybersecurity roles and responsibilities, so that it can inform what a business may need to do to achieve the other five functions.
In the days following the release, the cybersecurity community appeared to be divided between those who see the govern function as having always been implied versus those who see the addition as essential, especially as it’s become an area focus of several federal agencies.
“The added emphasis by various government agencies over time, various executive orders, as well as rulemaking like the SEC cybersecurity rules specifically, all emphasize governance and board responsibility,” explained Aloke Chakravarty, co-chair of Snell & Wilmer’s cybersecurity, data protection, and privacy practice.
He added, “It could not be clearer that they want to emphasize the importance and the accountability at that level by breaking that out now as a separate principle to be upheld, so the governance applies to all of the various arms of the framework.”
In fact, government agencies have already started to hold senior executives at companies and other organizations liable for data privacy and security incidents.
“I think the bigger piece is that it really drives the point home that cybersecurity isn’t limited just to IT and security,” noted Rocco Grillo, managing director with Alvarez & Marsal Disputes and Investigations and head of the firm’s global cyber risk and incident response services practice. “It isn’t just, ‘hey, let’s go update the executives. Let’s go update the board.’ … Everybody is in this together. It really calls out the roles [and] the responsibilities of the board.”
Expanding the scope of cyber ‘responsibility’ — with some help
In many ways, the updates made to the framework can be summarized by the agency’s desire to expand the CSF’s reach beyond its initial target audience: critical infrastructures. It now explicitly applies to organizations of all sizes, types and industry sectors “from the smallest schools and nonprofits to the largest agencies and corporations,” according to a release from NIST.
“NIST is reacting in response to not just what companies need, but the way that the threat landscape is evolving, the way that companies are using different technologies,” Grillo said.
The 2.0 version also expands beyond the internal workings of companies to include supply chain risk management, pushing companies to think about their third-party vendors or suppliers beyond contractual liability and include them in their cybersecurity strategies.
“It’s not just about procurement, managing the supply chain, it’s more so when a threat actor impacts the lifeline of the company, you can’t say well, it wasn’t in our four walls. … This is going to clearly define what happens if a critical third-party is impacted. What is our plan? What is our resilience as it relates to a disruption of our business or financial impact?” Grillo explained.
To aid organizations adopt these changes, NIST released a slew of new resources and tools aimed at helping organizations implement the CSF 2.0. This includes a new reference tool that allows users to search and export data from the framework, a searchable catalog of informative references that will display how companies’ current actions stand, and implementation examples, among other resources.
“This is a rare circumstance where there are a lot of tools, examples, other narratives which NIST has released contemporaneously with the framework designed to make it widely adopted,” Chakravarty noted. He added, “In that sense, I think we will start seeing more and more of that conformity.”