What is the CSF and why is it important?
The CSF, first published in 2014 and last updated in 2018, is a set of guidelines developed by NIST for understanding, managing, reducing and communicating cybersecurity risks. The CSF is used broadly within the federal government (and its contractors) and, although it is voluntary for the private sector, it has been yielding more influence throughout industry. Businesses may view the CSF as an important baseline for cybersecurity program measurement and a helpful tool in managing cybersecurity risks. Board members are increasingly encouraged to seek updates on the state of management’s cybersecurity program through the lens of the CSF – and in particularly, publicly traded companies in the US may look to the CSF to help explain their cybersecurity program and risk management activities in response to the new SEC final rule. Courts may use the CSF to inform the applicable standard of care for certain organizations, and some regulators have mapped their own cybersecurity rules to the CSF.
NIST’s release of the draft CSF 2.0 is the final opportunity for interested parties to submit feedback on the text before the document is finalized in early 2024. See our previous discussion on NIST’s Journey to CSF 2.0.
What is changing?
NIST has released a draft Version 2.0 of the CSF which makes updates to Version 1.1 based on feedback from industry stakeholders, nonprofits, government, individuals, and academics. A summary of the changes follows.
-
Emphasis on cybersecurity governance, cybersecurity supply chain risk management, and recovery.
-
The CSF previously described the main pillars of a successful and holistic cybersecurity program using five main functions: identify, protect, detect, respond and recover. The draft adds a sixth function, the govern function, which covers how an organization can make and execute its own internal decisions to support its cybersecurity strategy.
-
Updated guidance reflects the latest NIST guidance and practices related to cybersecurity supply chain risk management and secure software development.
-
The recovery function has had several new subcategories regarding backups and restoration activities.
-
The focus on people, process, and technology is expanded throughout the implementation of the CSF.
-
Additional guidance on CSF implementation and tailoring for risk.
-
The draft provides improved and expanded guidance on implementing the CSF, especially for creating profiles, which tailor the CSF for particular situations.
-
The draft also includes implementation examples for each function’s subcategories to help organizations, especially smaller firms, use the CSF effectively.
-
One theme in both the revised and new controls is that CSF 2.0 features "risk acceptance" explicitly stated and greater discussion of "risk prioritization" and using safeguards "commensurate with risk."
-
Additional information on cybersecurity measurement and assessment.
-
Version 2.0 clarifies the Framework implementation tiers to focus on cybersecurity governance, risk management, and third-party considerations.
-
The importance of continuous improvement is emphasized through a new Improvement Category in the Identify Function, as well as improvements in guidance on developing and updating Profiles and action plans.
-
References to related documents and resources.
-
NIST added internal references to the recent external publications including the NIST Privacy Framework, NICE Workforce Framework for Cybersecurity, Secure Software Development Framework, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, Performance Measurement Guide for Information Security, Integrating Cybersecurity and Enterprise Risk Management series, and the Artificial Intelligence Risk Management Framework.
-
Expanded geographic scope.
NIST has also released a CSF 2.0 Reference Tool, a resource that enables users to further explore the draft CSF 2.0 Core. The tool allows users to view and export portions of the Core using key search terms, and as NIST continues to add features to this tool in the coming months, it will enable users to create their own version of the Core with selected Informative References.
Next steps
NIST has requested feedback on the draft CSF 2.0, specifically on whether the draft (1) addresses organizations’ current and anticipated future cybersecurity challenges; (2) aligns with leading cybersecurity practices and guidance resources; and (3) reflects public feedback provided on the CSF so far. NIST also requests ideas on how to best manage the transition from Version 1.1 to Version 2.0 and encourages suggestions for improvements to the draft. NIST also released a separate discussion draft of the Implementation Examples included in the CSF 2.0 Draft Core. Comments on this draft are also due November 4, 2023. In addition, NIST will host a workshop on the draft on September 19-20, 2023, with options for virtual and in-person attendance.
This is the last opportunity to provide written input on Version 2.0, as NIST has stated that it has no plans to release another draft for comment. Stakeholders and interested parties can submit comments via cyberframework@nist.gov on or before Friday, November 4, 2023. All comments will be posted publicly on NIST’s CSF Version 2.0 webpage. NIST expects to release the finalized CSF Version 2.0 in early 2024.
Organizations are well advised to consider how the CSF updates may affect their own cybersecurity program assessment, evaluation, and reporting efforts, including in Board-level communications around the strength and maturity of the cybersecurity program and associated controls.
Authored by Paul Otto, Katy Milner, Stacy Hadeka, Dan Ongaro, and Ashley Mills.
