The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines.
The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to build risk management strategies.
When used as a risk management resource, the CSF can be applied in the context of the National Cybersecurity Strategy’s five pillars, Pascoe said. Those pillars are:
- Defend critical infrastructure
- Disrupt and dismantle threat actors
- Shape market forces to drive security and resilience
- Invest in a resilient future
- Forge international partnerships to pursue shared goals.
One of the main goals of CSF is to allow organizations to build their cybersecurity strategy by identifying risk and improving the process of risk management. The updated framework will emphasize improved risk management — crucial in the modern cybersecurity landscape.
The original CSF has five functions: identify, protect, detect, respond and recover. CSF 2.0 will add a sixth function: govern.
This one function elevates the importance cybersecurity risk management plays in business and compliance outcomes. The governance function will focus on policies and procedures and security team roles and responsibilities. The desired outcome is for organizations to assess and prioritize risk based on policies and then define the responsibilities of team members in addressing potential threats.
The govern function includes a section focused primarily on risk management. Whereas in previous versions of the CSF, risk management was covered under a different function (identify), it is now covered more entirely under the govern function with its own subcategory. The discussion draft version of CSF 2.0 lists the following directives:
- GV.RM-01: Cybersecurity risk management objectives are established and agreed to by organizational stakeholders.
- GV.RM-02: Cybersecurity supply chain risk management strategy is established, agreed to by organizational stakeholders and managed.
- GV.RM-03: Risk appetite and risk tolerance statements are determined and communicated based on the organization’s business environment.
- GV.RM-04: Cybersecurity risk management is considered part of enterprise risk management.
- GV.RM-05: Strategic direction describing appropriate risk response options, including cybersecurity risk transfer mechanisms (e.g., insurance, outsourcing), investment in mitigations and risk acceptance, is established and communicated.
- GV.RM-06: Responsibility and accountability are determined and communicated for ensuring that the risk management strategy and program are resourced, implemented, assessed and maintained.
- GV.RM-07: Risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks.
- GV.RM-08: Effectiveness and adequacy of cybersecurity risk management strategy and
results are assessed and reviewed by organizational leaders.
GV.RM-05 through 08 are new additions to CSF 2.0, created for this new function.
Well-defined leadership roles go hand-in-hand with the governance function. Under its roles and responsibilities section, standard GV.RR-01 states, “Organizational leadership takes responsibility for decisions associated with cybersecurity risks and establishes a culture that is risk-aware, behaves in an ethical manner and promotes continuous improvement.”
The supply chain and its security risk have been a hot topic for a while. A few years ago, NIST added guidelines around supply chain security to the CSF. In CSF 2.0, the guidelines will be expanded to cover supply chain risk management. This follows other government initiatives to add more security to the supply chain. Although the CSF hasn’t offered specific parameters for risk management of the supply chain, different scenarios will likely provide examples of risks and functions designed to address threats.
Risk Management Tiers
These probable changes and updates to CSF will enhance the four framework implementation tiers, which NIST defines as “a lens through which to view the characteristics of an organization’s approach to risk — how an organization views cybersecurity risk and the processes in place to manage that risk.”
The tiers cover four different levels of an organization’s risk management program: partial, risk-informed, repeatable and adaptive. The tiers measure how the organization integrates its decisions around cybersecurity risk into overall business risks. The framework implementation also looks at how the company shares risk information with third parties.
Organizations self-govern their risk management journey. They determine the tier that best fits the current risk governance levels that meet business goals. However, these tiers aren’t just a definition of cybersecurity maturity. Rather, they allow the company to take a broader view of its overall cybersecurity risk tolerance. As the organization follows the framework, it can build a risk profile and develop a target profile to strive for.
How Will CSF 2.0 Continue to Evolve?
The updated CSF 2.0 puts a stronger emphasis on risk management. By emphasizing supply chain risk and security, it also follows guidelines released by other areas of the federal government. On the surface, it looks like there is finally cohesiveness in the U.S.’s cybersecurity approach, particularly carving a niche for cybersecurity risk management across government agencies and private industries.
This doesn’t mean that CSF 2.0 is perfect. There are risk areas that still need attention, such as the governance of remote work. Risk management standards aren’t designed to address fully remote or hybrid workforces.
And just as CSF 2.0 has recognized that supply chain security is adding higher levels of risk to organizations, it needs to step up to address the burgeoning threats from artificial intelligence, specifically generative AI. Generative AI exploded onto the scene after the CSF 2.0 process was well underway; now, it is impossible to ignore.
Perhaps it is too late to provide clear guidance around AI’s potential risk and offer a security framework, but it can’t be set aside for too long. The threat potential is looming, and organizations will soon be looking for guidelines on how to manage risks introduced by this new technology.