(844) 627-8267
(844) 627-8267

NIST Cybersecurity Framework 2.0 Released For Public Comment – Security | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

To print this article, all you need is to be registered or login on Mondaq.com.

On August 8, 2023, the National Institute of Standards and
Technology (NIST) released the initial draft of its Cybersecurity Framework 2.0 and draft Implementation Examples for public
comment. This marks the first significant update to the NIST
Cybersecurity Framework (“Framework”) since its initial
release in 2014, which is intended to address current and future
cybersecurity threats of all organizations and to make it easier
for organizations to use the Framework. An updated Framework is
important given that the Federal Trade Commission (the
“FTC”) has routinely relied upon the existing Framework
in determining whether a company’s data security practices are
reasonable and not unfair or deceptive in violation of Section 5 of
the FTC Act.

Previous versions of the Framework, versions 1.0 and 1.1, were
designed to assist critical infrastructure entities, such as
hospitals and power plants, in enhancing their security and
managing cybersecurity risk. The updated Framework 2.0 would expand
the scope of the Framework to apply to all organizations,
“regardless of its size, sector, or maturity.”

Framework 2.0 would further introduce to its core functions
– identify, protect, detect, respond, and recover – a
sixth “govern” function that covers how organizations can
execute internal decisions to support their cybersecurity strategy.
The elements of the core governance strategy include control
categories to help organizations understand:

  • Organizational Context: including, that organizations should
    determine internal and external stakeholders and understand the
    stakeholders’ needs and expectations related to risk

  • Cybersecurity Supply Chain Risk Management: including that
    organizations should establish and communicate the cybersecurity
    roles for suppliers, customers, and partners.

  • Roles, Responsibilities and Authorities: including that
    organizational leadership should be accountable for cybersecurity
    risk and foster “a culture that is risk-aware, ethical, and
    continually improving.”

  • Policies, Processes and Procedures: including that
    organizations should update, communicate, and enforce policies,
    processes, and procedures for managing cybersecurity risks.

  • Oversight : including that organizations should review
    cybersecurity risk management strategy outcomes to “inform and
    adjust strategy and direction.”

Given the increased regulator focus on cyber governance, the new
“Govern” category helps clarify and summarize the
components of a successful program.

This updated version also provides guidance on how to implement
the Framework, which includes creating and leveraging
“Framework Profiles” to identify and create action plans
for achieving the organization’s target cybersecurity posture
based on organization and industry-specific goals, legal
requirements, and best practices. Implementation Examples further
provide organizations detailed guidance on implementing the
subcategories within each core function.

The public may submit feedback on this latest draft to
[email protected] until Friday, November 4, 2023. NIST
intends to publish the final version in early 2024 without
releasing another draft of the Framework for further comment. Also,
NIST announced that it will discuss the updated version at a
workshop on September 19-20, 2023, during which the public will
have another opportunity to provide feedback. Businesses,
particularly those that are (or may be) contractually subject to
the existing Framework, should take steps to perform a gap analysis
of its security program to evaluate what, if any, adjustments may
need to be made to comply with Framework 2.0. Further, doing so may
inform comments to be submitted to NIST.

Additional information regarding the NIST Framework 2.0 may be
found here: NIST Drafts Major Update to Its Widely Used
Cybersecurity Framework.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Technology from United States

Takeaways From Black Hat USA 2023

Foley & Lardner

Foley & Lardner LLP ventured into the searing 104-degree heat of Las Vegas this August to co-sponsor a breakfast gathering at the Black Hat USA 2023 conference, attended by founders…


Click Here For The Original Source.

National Cyber Security