2024-2025 Global AI Trends Guide
NIST has updated its widely used Cybersecurity Framework to provide key updates and practical resources for organizations to manage and discuss cybersecurity risk. The updated framework, which remains voluntary, is designed to support organizations regardless of size, sector, jurisdiction, or maturity.
The National Institute of Standards and Technology (NIST) has published the final version of its updated foundational cybersecurity guidance, the Cybersecurity Framework (CSF) 2.0. CSF 2.0 features an expanded scope, includes a new “Govern” function, expands on supply-chain risks, and provides a library of resources to help use the framework. Organizations of all types and across all sectors can leverage the CSF 2.0 to better understand, manage, and discuss cybersecurity risk.
NIST first published the CSF in 2014 as a landmark set of guidelines for organizations to identify, assess, and manage cybersecurity risks. At the heart of the CSF is the “CSF Core,” which provides a taxonomy of cybersecurity outcomes to help organizations assess, prioritize, and communicate their cybersecurity efforts. The CSF also includes “CSF Organizational Profiles” to help organizations identify current and target states for cybersecurity outcomes, as well as “CSF Tiers” to help organizations assess cybersecurity governance and risk management practices. The CSF was updated to version 1.1 in 2018, which included incremental updates around supply chain risk management as well as new guidance on metrics and measures for a cybersecurity program.
Although originally developed in response to an executive order to improve cybersecurity for critical infrastructure, the framework is now used by organizations across sectors to measure cybersecurity program maturity and to help manage cybersecurity risks.
The CSF remains voluntary for the private sector. Many of the largest companies around the world use the CSF to structure or influence their cybersecurity programs. Leveraging the CSF is typically seen as a means to anchor a cybersecurity program to help meet a range of legal and regulatory requirements while communicating more effectively with senior management, which may reduce regulatory and litigation risks for companies that adopt it. The CSF is also increasingly used to discuss cybersecurity risk management and maturity at the board level. And, more broadly, it can provide a sound foundation for a cybersecurity program and may help to more effectively manage cybersecurity risks.
With the final version of CSF 2.0, NIST has updated the CSF’s core guidance and created a suite of additional resources to better help organizations achieve their cybersecurity goals. CSF 2.0 includes one new top-level function, 11 new categories, 54 new subcategories, and revises a further 25 existing subcategories.
CSF 2.0 remains a voluntary standard, and leveraging it can be helpful in organizing and improving a company’s security program. Use may have benefits in terms of reducing regulatory risk, litigation risk, and the frequency and impact of cybersecurity incidents. And the U.S. government’s numerous cybersecurity-related requirements increase overlap with CSF components. For example:
The new Govern function may help U.S. publicly traded companies better comply with the SEC’s new cybersecurity requirements.
The CSF’s Govern function may also complement organizations’ efforts to leverage NIST’s Privacy Framework and AI Risk Management Framework, which also contain Govern functions.
As federal agencies increasingly are holding government contractors accountable to NIST publications, companies in the government contracting space may benefit from alignment with the CSF, or even find that such alignment becomes a contract requirement.
The CSF’s new emphasis on supply chain risk management will also be impactful for the information technology and communications sectors, which are seeing cybersecurity supply chain risk management initiatives arise from multiple agencies such as the Federal Communications Commission and the Departments of Homeland Security and Commerce. It will be interesting to see if and how the CSF 2.0 is harmonized with other relevant workstreams—and organizations will need to consider how to meet their obligations under potentially overlapping regimes.
Organizations may want to reassess their cybersecurity programs in light of the CSF’s updated core guidance. Organizations that already leverage CSF 1.0 or 1.1 may wish to assess their program with the new standard, and organizations that do not currently base their program on any security framework may wish to consider leveraging CSF 2.0 as that standard. Organizations may wish to review the online suite of resources to better manage and communicate about their cybersecurity programs.
Organizations may review their current cybersecurity governance practices in particular, and assess their policies and practices against the outcomes described in CSF’s new Govern function. Benchmarking against the Govern function may be a helpful exercise as organizations update their cybersecurity disclosures to comply with the SEC’s cybersecurity disclosure requirements for public companies.
Finally, organizations might wish to revisit any public representations made regarding the organization’s use of the CSF and validate that such representations remain accurate and caveated. Regulators such as the FTC or SEC may scrutinize statements about the CSF as false or misleading, particularly in the event of a cybersecurity incident.
Authored by Nathan Salminen, Paul Otto, Pete Marta, Katy Milner, Stacy Hadeka, Dan Ongaro, A.J. Santiago, and Soojin Jeong.