TheCorporateCounsel.net

The National Institute of Standards and Technology (NIST) recently released drafts of its Cybersecurity Framework (CSF) 2.0 for public comment. The NIST CSF consists of standards, guidelines, and best practices that help organizations improve their management of cybersecurity risk. In its announcement of the new CSF, NIST notes:

The world’s leading cybersecurity guidance is getting its first complete makeover since its release nearly a decade ago.

After considering more than a year’s worth of community feedback, the National Institute of Standards and Technology (NIST) has released a draft version of the Cybersecurity Framework (CSF) 2.0, a new version of a tool it first released in 2014 to help organizations understand, reduce and communicate about cybersecurity risk. The draft update, which NIST has released for public comment, reflects changes in the cybersecurity landscape and makes it easier to put the CSF into practice — for all organizations.

In February 2022, NIST released a request for information about the CSF. In response, commenters indicated that the framework remains an effective tool for reducing cybersecurity risk, but indicated “that an update could help users adjust to technological innovation as well as a rapidly evolving threat landscape.”

In its announcement of the updated draft, NIST notes the following key changes to the CSF:

• The framework’s scope has expanded — explicitly — from protecting critical infrastructure, such as hospitals and power plants, to providing cybersecurity for all organizations regardless of type or size. This difference is reflected in the CSF’s official title, which has changed to “The Cybersecurity Framework,” its colloquial name, from the more limiting “Framework for Improving Critical Infrastructure Cybersecurity.”

• Until now, the CSF has described the main pillars of a successful and holistic cybersecurity program using five main functions: identify, protect, detect, respond and recover. To these, NIST now has added a sixth, the govern function, which covers how an organization can make and execute its own internal decisions to support its cybersecurity strategy. It emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial and other risks as considerations for senior leadership.

• The draft provides improved and expanded guidance on implementing the CSF, especially for creating profiles, which tailor the CSF for particular situations. The cybersecurity community has requested assistance in using it for specific economic sectors and use cases, where profiles can help. Importantly, the draft now includes implementation examples for each function’s subcategories to help organizations, especially smaller firms, to use the framework effectively.

The CSF 2.0, while still in draft form, is a good resource to review as you are preparing for the new SEC disclosure requirements, as you evaluate whether your practices for managing cybersecurity risks are consistent with best practices.

The comment period for the draft CSF 2.0 runs until November 4, 2023.

– Dave Lynn