Governance, Supply Chain, & Risk Management, Oh My! Understanding the New NIST CSF 2.0 Draft Guideline Changes
When it comes to creating a plan to reduce risk and increase your cybersecurity maturity, the National Institute of Standards and Technology (NIST) Cybersecurity Framework (NIST CSF) has been the gold standard for many organizations and the foundation of multiple regulatory guidelines. The NIST CSF was originally released in 2014, and it’s a big event when NIST releases new draft guidance! It should be noted that the NIST CSF 2.0 is a draft that is currently in the public comment period that extends into November 2023. So, none of this is final, and it may change a bit before it is formally approved. With that said, let’s dive into a brief overview of NIST and review some of the great new proposed changes in the NIST CSF 2.0!
What is the NIST CSF?
Created as a strategic planning and assessment tool, the NIST CSF is now considered the gold standard framework to help organizations of all sizes understand and manage cybersecurity risks using a flexible framework of standards, guidelines, and practices. Originally designed for critical infrastructure, Federal agencies and some state and foreign governments are all required to use the NIST CSF. In addition, some organizations mandate that their vendors and supply chain partners be compliant with the NIST CSF, and a few private insurance companies make it a requirement for cybersecurity coverage. While the NIST CSF is a widely adopted, voluntary industry best practice for most organizations, it also serves as the underlying information security standard for many regulatory requirements such as FISMA, GLBA, and others. So, even organizations that are not directly impacted by NIST can be impacted by other widely used frameworks that are mapped to the NIST CSF or align with its guidance, so it serves as a leading source of cybersecurity best practices. That said, one of the challenges of the NIST CSF has always been that it is not very prescriptive. It can be hard for organizations to interpret and apply the guidance to develop and organize their policies.
What are the Big Changes in the NIST CSF 2.0?
The updated NIST CSF 2.0 has significant changes that are designed to help all organizations better understand and implement the framework. It begins by sharing the message most leaders today acknowledge—cybersecurity is no longer just an IT issue; it is a business issue and cybersecurity risk can impact the success of your entire organization. At a high level, the updated guidance provides more detailed explanations of the framework’s components and guidance on how to put them into practice. This enhanced guidance is especially beneficial for organizations that are new to the framework or that have struggled to successfully implement it in the past. “The CSF was developed for critical infrastructure like the banking and energy industries, but it has proved useful everywhere from schools and small businesses to local and foreign governments. We want to make sure that it is a tool that’s useful to all sectors, not just those designated as critical,” stated NIST’s Cherilyn Pascoe, the framework’s lead developer.
The NIST CSF 2.0 updates some of the terminology and recommendations to align with today’s best practices, as well as makes some exciting new additions to the framework. Let’s look at some of the biggest changes:
- The NIST CSF 2.0 adds a new “Govern” function to the framework. The NIST CSF 2.0 includes a significant new addition—the introduction of the “Govern” function. The new “Govern” function is designed to help organizations understand how to make and execute decisions related to their cybersecurity strategies. As shown in the illustration, the Govern function is in the middle because it supports the execution of all other function areas. It emphasizes the importance of people, processes, and technology in effectively governing cybersecurity within organizations. The NIST CSF 2.0 recognizes that cybersecurity is a significant source of enterprise business risk, as well as a notable contributor to an organization’s legal and financial risks. This addition underscores the need for senior leadership to be actively involved in cybersecurity decision-making and reflects the importance of creating a culture of security within each organization.
- Stronger emphasis on Supply Chain Risk Management. Now under the “Govern” function, the NIST CSF 2.0 highlights the critical role of supply chain risk management and expands the emphasis on this topic with ten subcategories that define the actions required for organizations to identify, establish, manage, and monitor cyber supply chain risk management processes. Furthermore, the framework encourages organizations to establish cybersecurity standards and practices for their suppliers, emphasizing the importance of clear communication and understanding of cybersecurity requirements throughout the supply chain.
- Expanded implementation guidance. One of the largest frustrations with the NIST CSF was that in an effort to be flexible, the framework was unclear and difficult for many to implement. The NIST CSF 2.0 now provides expanded guidance, implementation examples and a few new profiles that are tailored for different industries or events. It also includes a separate document with NIST 2.0 implementation examples. In addition, NIST has launched a new CSF 2.0 Reference Tool that, when completed in 2024, will enable users to easily search and export data and include references to other resources that will make implementing the NIST CSF 2.0 easier.
Image of NIST CSF 2.0 implementation examples. Image courtesy of NIST
- Clarification of measurement, assessment, and privacy guidance. The new guidelines also add a new “Improvement” category in the “Identify” function, as well as provide guidance on developing action plans to continually improve cybersecurity maturity. It clarifies the importance of risk management, offers additional guidance, and encourages organizations to integrate threat intelligence into their cybersecurity strategy. In addition, the framework aligns with published NIST privacy guidance and references obligations organizations may face from GDPR and CCPA.
What’s Next
The NIST CSF 2.0 represents a significant evolution in cybersecurity regulations and guidelines, but it is not yet in its final form and may be changed based on public feedback. However, we appreciate the new governance framework recommendations that emphasize the importance of leadership, collaboration, risk management, supply chain security, and metrics in achieving robust cybersecurity practices. It’s crucial for organizations to not only understand these changes but also prepare to take proactive steps to implement them effectively with a multi-year plan. We hope you found this summary helpful! If creating a multi-year cybersecurity plan feels overwhelming, contact us and our expert advisory team can help you with NIST policy development and create a plan for continuous cybersecurity improvement.