(844) 627-8267
(844) 627-8267

NIST Releases Cybersecurity Framework Version 2.0 – Security | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

On August 8, 2023, the National Institute of Standards and
Technology (“NIST”) released a draft of The NIST
Cybersecurity Framework (CSF) 2.0
,1 (the “CSF” or
“Framework”) along with a Discussion Draft of the
Implementation Examples
.2 This
draft makes the most significant changes to the Framework since its
initial release in 2014. It follows more than a year’s worth of
community feedback, with NIST issuing the first request for
information on the CSF in February 2022 and a concept paper
regarding potential changes in January 2023.3 Both drafts are open for public
comment until November 4, 2023. NIST announced that it plans to
publish the final version in early 2024, without releasing another
version for public comment.

Version 1.0 and Version 1.1 (2018) of the CSF were intended to
provide critical infrastructure entities a standardized tool for
managing cybersecurity risk. Version 2.0 broadens the scope of the
CSF by focusing on all organizations, not just those operating in
critical sectors. Indeed, “Critical Infrastructure” is
dropped from the title of Version 2.0, consistent with the existing
use of the CSF by companies and other entities across sectors. This
updated version is designed instead to be used by organizations of
all sizes, sectors, and geographical locations to help guide their
cybersecurity-related decisions, “everywhere from schools and
small businesses to local and foreign governments.”4 To support this broad use, the CSF
2.0 introduces “Implementation Examples” to provide
“concise, action-oriented steps” to help achieve
particular outcomes in light of its guidance.5 These Implementation Examples set out
sample situations that could help an entity achieve the CSF 2.0
objectives. Under the various functions, the Implementation
Examples list actions that an organization can take and concrete
methods of implementation for each of those actions.

In addition, the CSF 2.0 emphasizes the role of governance in a
cybersecurity program by elevating it to one of the six main
“pillars” of the Framework. (The original five pillars,
or core functions, to help direct cybersecurity outcomes, were (1)
identify, (2) protect, (3) detect, (4) respond, and (5) recover.)
Although CSF 1.1 contained guidance on governance, CSF 2.0 goes
into further depth on processes for establishing, communicating,
and evaluating the organization’s cyber risk management
strategy, including identifying roles and responsibilities as well
as maintaining appropriate policies, processes, and procedures for
managing cybersecurity risk.

As part of the “govern” function, the CSF 2.0
highlights the importance of supply chain risk management. The CSF
2.0 recommends that organizations establish a comprehensive supply
chain risk management program that includes supplier due diligence,
prioritization by criticality, considerations in the
organization’s overall risk assessment and management
strategies, and other steps to evaluate and monitor third-party

CSF 2.0 also includes additional implementation guidance on the
creation and use of “Framework Profiles” to help tailor
cybersecurity priorities for specific sectors and use cases. An
organization can develop or leverage NIST’s example Framework
Profiles, which map the Framework to particular concerns in an
industry or functional area and identify opportunities to improve
an organization’s cybersecurity posture based on these key
issues. The CSF 2.0 lists a step-by-step process for organizations
to create and use Framework Profiles to help inform their
cybersecurity strategy.

Contractors and subcontractors performing work for the federal
government generally must be compliant with the CSF and other NIST
cybersecurity standards, as those standards are routinely
incorporated into federal contracts and grants.6 Others in the private sector have been
encouraged or required to adopt the NIST Framework to meet
regulatory expectations or satisfy contractual obligations. Even
though it is only voluntary for many in the private sector, the
Framework has effectively become an industry standard for
evaluating a cybersecurity program. Accordingly, companies across
sectors would be wise to compare their current cyber risk
management program against CSF 2.0-and they may wish to get ahead
of the curve now, by beginning a comparison with this draft
version. Interested stakeholders may also consider submitting
comments before the November 4, 2023 deadline.


National Institute of Standards and Technology, Public Draft: The NIST Cybersecurity Framework
2.0 (August 8, 2023).

National Institute of Standards and Technology, Public Draft: Implementation Examples for the NIST
Cybersecurity Framework 2.0 (August 8, 2023).

National Institute of Standards and Technology, Cybersecurity RFI (Feb. 22, 2022); National
Institute of Standards and Technology, NIST Cybersecurity Framework 2.0 Concept Paper
(Jan. 19, 2023).

NIST Drafts Major Update to Its Widely Used
Cybersecurity Framework | NIST.

National Institute of Standards and Technology, Public Draft: The NIST Cybersecurity Framework
2.0 (August 8, 2023).

6. See also NIST
Special Publication 800-171 rev. 2 (Feb. 2020) (“The security
requirements apply to the components of nonfederal systems that
process, store, or transmit [Controlled Unclassified Information],
or that provide security protection for such

Visit us at

Mayer Brown is a global services provider comprising
associated legal practices that are separate entities, including
Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP
(England & Wales), Mayer Brown (a Hong Kong partnership) and
Tauil & Chequer Advogados (a Brazilian law partnership) and
non-legal service providers, which provide consultancy services
(collectively, the “Mayer Brown Practices”). The Mayer
Brown Practices are established in various jurisdictions and may be
a legal person or a partnership. PK Wong & Nair LLC
(“PKWN”) is the constituent Singapore law practice of our
licensed joint law venture in Singapore, Mayer Brown PK Wong &
Nair Pte. Ltd. Details of the individual Mayer Brown Practices and
PKWN can be found in the Legal Notices section of our website.
“Mayer Brown” and the Mayer Brown logo are the trademarks
of Mayer Brown.

© Copyright 2023. The Mayer Brown Practices. All rights

Mayer Brown article provides information and comments on legal
issues and developments of interest. The foregoing is not a
comprehensive treatment of the subject matter covered and is not
intended to provide legal advice. Readers should seek specific
legal advice before taking any action with respect to the matters
discussed herein.


Click Here For The Original Source.

National Cyber Security