In February 2024, the National Institute of Standards and Technology (NIST) released Version 2.0 of the Cybersecurity Framework (CSF or the Framework) which is the first significant update to the Framework since 2014 when it was first created.
Although the CSF is voluntary, it has become a key standard for assessing the maturity and management of a cybersecurity program and its related risk. While there are multiple enhancements in CSF 2.0, the “Govern” function is the change that may have the largest impact, as this function should help organizations and compliance teams map and meet various laws and regulations while managing their cyber programs.
The core of the CSF is organized into six key functions: Identify, Protect, Detect, Respond, Recover, and Govern. The new Govern function stresses the importance of governance activities being included within and/or aligned with risk management and compliance strategies alike. It indicates an increased expectation for organizations to understand and document their business environment, cybersecurity strategy, risk analysis, and supply chain risk management. In addition to establishing policies, procedures, and strategies around these areas, equal importance revolves around identifying proper roles and responsibilities for these activities and oversight strategies for leadership, board of directors, or similar key stakeholders.
Risk management is mentioned in many frameworks, laws, and regulations related to cybersecurity, but without a solid process of ongoing evaluation and analysis, many organizations fall short on these practices. The new Govern function is going to help tackle this issue, pushing organizations to perform risk management in a more comprehensive manner. For example, there is a “Risk Management Strategy” category, and its subcategories indicate that risk management activities and outcomes should be included in enterprise risk management processes, and that organizations should establish and communicate a “standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks.”
Additionally, the “Roles, Responsibilities, and Authorities” category states that “organizational leadership is responsible and accountable for cybersecurity risk.” If you look more closely, an implementation example specifically notes the role of the board of directors, demonstrating a broader expectation that senior leadership at the highest level has a role in managing cybersecurity risk throughout the organization. Sound familiar? This message has been being conveyed by regulators and industry experts for a while now and if you haven’t done so already, it’s time to make sure those overseeing your cybersecurity program have appropriate knowledge to do so, either through training or personal experience.
Another familiar topic is presented within the Govern function’s “Supply Chain Risk Management” category. Its focus is on gaining understanding of your third-party ecosystem and then ensuring that the proper controls to manage the various risks are implemented through policy, people, technology, and processes. The companies that make up your supply chain should be documented, risk ranked, and assessed both before partnering with them, and regularly thereafter. If they are a critical part of your organization’s systems or processes, they should be included in incident response, business contingency, and disaster recovery planning.
Here is the full break down of the Govern function, including the six categories and 31 subcategories:
As organizations conduct assessments leveraging CSF 2.0, organizations should consider reviewing the “Implementation Examples” and assess the extent to which their policies and procedures align. The new Implementation Examples will arm organizations to more effectively and efficiently apply 2.0 of the Framework.
NIST has also created a CSF 2.0 Resource Center that includes quick start guidance, profiles, and informative references to help organizations as they work with the Framework. These resources can be found on NIST’s website at https://www.nist.gov/cyberframework.
