Now is the time for organizations to evaluate how proposed changes to the CSF may impact their business, and gear up for engagement with NIST as it continues its journey to finalize version 2.0.
Overview of the Cybersecurity Framework
The CSF, first published in 2014 and last updated in 2018, provides guidance to organizations on understanding, managing, reducing and communicating cybersecurity risks. The CSF is a living document containing a set of guidelines developed by NIST for handling organizational cybersecurity risks. The Cybersecurity Framework was developed in response to the 2013 Presidential Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity (Feb. 12, 2013). NIST issued Version 1.0 of the CSF in February 2014 after receiving extensive input from the private sector. The latest official version of the CSF, Version 1.1, was released on April 16, 2018.
Why is the Cybersecurity Framework important?
The CSF is used broadly within the federal government, as Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (May 11, 2017), made the Framework mandatory for U.S. federal government agencies, and it has also been adopted by state and foreign governments. The CSF is voluntary for the private sector. Numerous private-sector organizations, including some of the largest companies in the US and around the world, reference or make use of the CSF (even if only as an informative resource). Businesses may view the CSF as an important baseline for cybersecurity program measurement and a helpful tool in managing cybersecurity risks. Courts may use the CSF to inform the applicable standard of care for certain organizations, and some regulators have mapped their own cybersecurity rules to the CSF.
Moreover, as the federal government increasingly leverages the CSF to protect against the growing sophistication and frequency of cyberattacks, federal agencies increasingly are holding government contractors accountable to NIST publications. For example, the U.S. Department of Defense requires contractors responsible for the safeguarding of Covered Defense Information to implement the security requirements specified by NIST Special Publication (SP) 800-171, which is a set of companion security controls to the CSF.1 Thus alignment with NIST publications such as the CSF is rapidly becoming a high priority for companies working with the federal government who wish to remain competitive in the federal marketplace.
Journey to CSF 2.0
The CSF was intended from the start to be a living document that evolves over time. Updates to the CSF help keep pace with technology and threat trends, integrate lessons learned, and provide a means for NIST to continue acting on feedback. In supporting these efforts, NIST is focused on CSF 2.0 and will continue to seek stakeholder feedback and host public webinars and workshops.
NIST issued a Request for Information (RFI) on February 22, 2022, that sought information to assist in evaluating and improving CSF resources. NIST compiled the feedback it received from the more than 130 RFI responses from several industry sectors, including information technology, life sciences, financial services, energy, communications, transportation, academia, and defense. NIST identified commonalities and key areas of agreement and differences, noting seven themes and 25 subthemes, including the following:
Focus on maintaining and building on the key attributes of the CSF with the update;
Align the CSF with existing efforts by NIST and others;
Offer more guidance for implementing the CSF;
Ensure the CSF remains technology neutral but allows it to be readily applied to different technology issues – including new advances and practices;
Emphasize the importance of measurement, metrics, and evaluation in using the CSF;
Consider cybersecurity risks in supply chains in the CSF; and
Use the National Initiative for Improving Cybersecurity in Supply Chains (NIICS) to align practices and provide effective practices, guidance, and tools to bolster cybersecurity supply chain risk management.
NIST has hosted two CSF 2.0 workshops to date (first in June 2022 and a second workshop and in-person session in February 2023). The workshops and session brought stakeholders together to learn about – and inform – NIST’s next steps for the CSF. A summary analysis of the first workshop was posted by NIST here. Our impressions of the second workshop include that there are numerous key questions being raised for NIST in terms of: how CSF 2.0 will integrate the new proposed Govern function; how extensively CSF 2.0 will attempt to address the broad topic of supply chain cybersecurity; and how NIST is pushing CSF 2.0 to be a more international framework, with some alignment to other leading international frameworks and standards.
As noted above, NIST will continue to seek stakeholder feedback throughout the process to update CSF 2.0.
What Is Likely to Change in Version 2.0?
The Concept Paper published earlier this year—which is open to comment until March 17, 2023—identifies potential major changes to the CSF 2.0, such as the following topics that stakeholders may wish to pay particular attention to:
Expansion to reflect intended use by organizations beyond critical infrastructure (§ 1.1);
Addition of greater specificity to guidelines on implementation by adding implementation examples and developing Profile templates (§ 3);
Addition of a new cross-cutting “Govern” Function to emphasize cybersecurity risk management governance outcomes (§ 4.1);
Expansion to cover and emphasize importance of cybersecurity supply chain risk management (C-SCRM) (§ 5); and
Addition of detail regarding organization’s measurement and assessment of cybersecurity programs (§ 6).
As the CSF 2.0 development process gets underway, companies can expect to see renewed dialogue on whether changes to the framework structure are needed to best enable companies to respond to modern cyber threats. While some stakeholders may welcome the proposed updates to the CSF, others may be concerned that the expansion of topics and greater levels of specificity will result in less flexibility to tailor the CSF for their specific business needs and raise compliance difficulties.
Expansion of the CSF 2.0 to cover supply chain issues may also raise questions. Several federal agencies have existing initiatives on addressing supply chain cybersecurity, such as the Department of Homeland Security’s Information and Communications Technology Supply Chain Risk Management (ICT SCRM) Task Force, and organizations may desire further clarity on how another layer of guidance on this topic from NIST will integrate or relate to those other initiatives. Further, global supply chains are complex and interconnected, making it challenging to land on helpful guidelines that can be applied across diverse sectors and organizations. That being said, CSF 2.0 may help to synthesize currently disparate U.S. government efforts to provide guidance on supply chain cybersecurity.
Entities may also have significant input to help shape any new Govern Function. NIST has indicated that it intends to further define how organizations address cybersecurity governance, akin to how NIST’s recent AI Risk Management Framework and Privacy Framework tackle this cross-cutting topic, and provide guidance to support board-level cyber discussions. This would be a significant change from the current CSF’s approach that may shape how numerous regulators approach oversight of organizations’ cyber governance. For example, the SEC has proposed rules requiring disclosures of registrants’ cybersecurity governance, including the board of directors’ oversight role regarding cybersecurity risks and managements’ role and expertise in assessing and managing cyber risks. Rigid expectations for cybersecurity governance may fail to account for the varied needs of diverse organizations operating in various risk environments.
Stakeholders can provide feedback on the CSF 2.0 Concept Paper until March 17, 2023 via firstname.lastname@example.org. Moreover, when NIST releases the draft of the CSF 2.0, stakeholders may wish to comment on the changes that would be helpful, or unhelpful, for their organizations. NIST will also convene a third public workshop in connection with the CSF 2.0 release, and thus active participation in this effort may help in shaping changes in CSF 2.0 to not become the basis for unworkable regulatory rules or contracting requirements in the future. It may be prudent for legal teams in particular to evaluate how NIST’s evolving guidance on cybersecurity governance would impact their oversight and support of cybersecurity risk management, management- and board-level reporting, and cyber compliance. Consider subscribing to NIST for future CSF updates as we continue to monitor the CSF 2.0 developments. If you have questions about how CSF 2.0 may affect your company, please contact one of the authors of this alert, or the Hogan Lovells lawyer with whom you work.
Authored by Katy Milner, Paul Otto, and Stacy Hadeka.
1 NIST has mapped the Cybersecurity Framework Subcategories to the Controlled Unclassified Information (CUI) Requirements in NIST SP 800-171. The intent of the mappings shows an equivalency of requirements (in whole or in part) between the two publications.