Several major changes are being proposed, including an expanded scope of applicability, the addition of a new function, and more guidance on implementing the CSF.

In this month’s Insight, we discuss the proposed changes and amendments:

1. Addition of the ‘GOVERN’ Function: This addition ensures an increased focus on security governance and risk management across all the functions.
2. Wider Applicability: The framework’s scope is widened beyond the original focus on critical infrastructure.
3. Focus on Supply Chain Risk Management: This shift is prompted by recent high-profile breaches related to suppliers and third parties.
4. Enhanced Implementation Guidelines: The use of Profiles, based on industry and business size, is emphasised to tailor the framework to specific needs.
5. More Guidance on Measuring Cybersecurity Risk: Additional insights and guidance are provided to help organisations better measure their cyber security risk.

 _____________________________________________________________________

The NIST Cyber Security Framework (CSF) is a comprehensive guideline designed to assist organisations in managing and enhancing their cybersecurity posture.

It offers a flexible and risk-based approach, enabling organisations to identify, protect, detect, respond to, and recover from cybersecurity threats and incidents.

 The current CSF (1.1), developed in 2018, required updating to align with modern technology and the evolving threat landscape. NIST has released a proposed draft of 2.0 for public comment. We discuss notable proposed changes below.

Major proposed changes in the CSF 2.0:

1.       Addition of the ‘GOVERN’ function.

NIST has introduced the ‘GOVERN’ function to complement the existing functions, which include IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER. The GOVERN function assumes a central role in CSF 2.0, as it spans other established functions, emphasising the critical importance of cyber security governance in the management and reduction of cyber security risk.

Categories related to governance from the previous version have been transitioned into the new GOVERN function. For instance, Risk Management Strategy (formerly ID.RM) and Policies, Processes, and Procedures (formerly ID. GV-01) are now part of the new GOVERN function.

The incorporation of a pervasive GOVERN function aligns CSF 2.0 with other existing or proposed frameworks, such as the Privacy Framework and the draft AI Risk Management Framework.

2.       Changes to scope and applicability

The CSF was initially focused on cyber security risks within critical infrastructure.

However, NIST has acknowledged the widespread applicability and adoption of the framework. CSF 2.0 incorporates recognition of the framework’s broad and international use. Specific changes include alterations to the descriptions of categories and sub-categories. 

The updated name of the framework also mirrors this shift, as it is now simply referred to as the “Cybersecurity Framework” instead of its original title, “Framework for Improving Critical Infrastructure Cybersecurity.”

3.       Greater focus on Supply Chain Risk Management

Considering the significant increase in recent cyber security incidents associated with third-party security, it comes as no surprise that Supply Chain Risk Management takes a more prominent role in version 2.0.

Within the GOVERN function, NIST has introduced a new category dedicated to supply chain risk management, featuring ten sub-categories that provide more comprehensive requirements aimed at enhancing organisations’ protection against supply chain attacks.

The changes in supply chain risk management in 2.0 include the necessity to plan and conduct due diligence on suppliers before establishing formal supplier relationships, along with improved integration of supply chain risk management into broader enterprise risk management processes. This thematic focus mirrors the direction of regulatory requirements such as DORA.

4.       Extended guidance on implementation of CSF 2.0 and the use of Profiles

The Framework guidance for Profiles has undergone significant revisions and expansions to assist organisations in better tailoring cyber security priorities for specific use cases or industries.

NIST is in the process of developing an optional basic template for CSF Profiles which proposes a structured format and provides guidance on the essential elements to be incorporated into Profiles. It’s important to note that organisations will retain the flexibility to employ different formats for their Profiles, aligning them with their unique needs and circumstances.

As part of CSF 2.0, implementation examples for each of the subcategories will also be documented to provide more context and guidance for organisations to implement the framework.

Below is an example of implementation guidance for Data Security:

Next steps:

The draft of the framework is currently open for public comment with NIST looking to release the final of the updated version in early 2024.

We recommend organisations take the following steps to prepare their current approach to security for the proposed changes:

• Determine how and if existing maturity scores can be transferred into the new framework or prepare to conduct a new baseline assessment in early 2024.
• Identify any KPIs or KRIs developed based on CSF1.1 which will have to redefined for 2.0.
• Notify and educate Management or the Board of the changes so that they are prepared for any changes in reporting or KPIs and KRIs.

• Discuss the changes with any MSSPs (Managed Security Service Providers) that may provide reporting or metrics based on the CSF.
• Engage Procurement to discuss the potential changes to requirements for supply chain management. 

Follow ThreeTwoFour on LinkedIn for the latest trends and updates, and to join our InfoSec Leaders Events – subscribe to our newsletter.