Key Takeaways: The National Institute of Standards and Technology (“NIST”) updated its Cybersecurity Framework this year so that it applies to all organizations (rather than solely to businesses that deal with critical infrastructure). In expanding the scope of its guidance, the framework provides a new suite of resources for such organizations to utilize in order to evaluate existing cybersecurity posture and implement changes where necessary. All organizations now have a resource upon which they can rely to better understand and manage their cybersecurity risks.

On February 26, 2024, the National Institute of Standards and Technology (“NIST”) published the long-awaited updated version of its Cybersecurity Framework (“CSF”), Version 2.0. This publication comes nearly 10 years after NIST published the initial CSF Framework in 2014. As such, a host of changes are included in this newly released version.

As background, in 2013, then President Obama issued an executive order calling for the development of a voluntary risk-based set of industry standards and best practices to help organizations manage cybersecurity risks. This resulted in NIST creating Version 1.0 of the CSF. This initial version of CSF was limited in scope. The executive order initially called for the management of cybersecurity risks of the United States’ “critical infrastructure.” Therefore, the initial version of the CSF only addressed organizations operating in industries that were considered “critical infrastructure.”

Version 2.0 Key Components

Version 2.0 of the CSF includes the same foundational pillars and components from Version 1.0, but makes certain modifications to the CSF’s scope, core functions, and guidance for the CSF’s use.

Expanded Scope

Version 2.0 provides guidance that can be utilized by organizations of all sizes, sectors, and maturity levels. There was a clear emphasis when drafting Version 2.0 for cybersecurity risks to be evaluated, managed, and reduced, no matter the technical sophistication of the organization utilizing the CSF. With Version 2.0, organizations ranging from large to small can use the CSF to address their cybersecurity posture no matter the organization’s industry.

Introduction of the Govern Function

The CSF had already established addressing cybersecurity risks through the following five pillars: identify; protect; detect; respond; and recover. These five components made up the original “CSF Core Functions,” which help organizations organize cybersecurity outcomes at their highest level. Version 2.0 adds an additional Core Function, the “Govern” function.

The Govern function emphasizes governance-related outcomes which includes addressing cybersecurity risk management strategy, expectations, and policies. Essentially, the Govern function is the foundational pillar that helps address the other CSF Core Functions previously provided in Version 1.0. As stated in the CSF, “[t]he Govern Function provides outcomes to inform what an organization may do to achieve and prioritize the outcomes of the other five Functions in the context of its mission and stakeholder expectations.” Version 2.0 clearly puts an emphasis on an organization’s governance activities with regard to cybersecurity risk.

Expanded Guidance

Notably, Version 2.0 added a host of additional online resources that complement the CSF document itself to assist organizations in implementing the content of the CSF. Specifically, NIST has included a new series of “Quick Start Guides” (“QSG”). These QSGs identify specific stakeholders to assist them in initial ways to use and implement the CSF. For example, current QSGs target small businesses, businesses that acquire and supply technology products, and enterprise risk management practitioners. In addition, Version 2.0 also provides new reference tools to access and view the CSF Core Functions in a variety of ways and new implementation examples are provided which detail steps organizations can take to achieve CSF specific outcomes.

Voluntary but Necessary

The CSF is a voluntary framework; however, the current cybersecurity climate likely necessitates review of the CSF so that organizations can better understand and address such risks. Cybersecurity risks are constantly evolving and managing these risks is a continuous process.

Failing to manage these risks can lead to disastrous outcomes and the federal government is beginning to take aggressive stances against organizations that fail to address these risks. For example, in October 2023, the Securities and Exchange Commission (“SEC”) announced charges against software company SolarWinds Corporation and its chief information security officer for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. Specifically, the SEC alleged that SolarWinds overstated its cybersecurity practices and understated or failed to disclose known cybersecurity risks.

Furthermore, virtually every day a new cyberattack is revealed in the news and has an impact on companies both large and small. Recent examples include AT&T’s breach affecting 73 million current and former account holders, and the attack on Change Healthcare, which has created significant issues within the healthcare industry.

The examples above show the importance of addressing and understanding cybersecurity risks affecting an organization. Organizations should strive to utilize the more accessible CSF in order to appropriately manage and address cybersecurity risks that are particular to that organization.

If you have questions regarding your business’ current cybersecurity risk posture or how to begin to manage current cybersecurity risks, please contact one of the specialists in Koley Jessen’s Data Privacy and Security Practice Area.

_{This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.}