Risk assessments are an essential part of a robust cybersecurity program. To benchmark their cybersecurity risk assessments and maturity reviews, companies often turn to recognized industry standards such as the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF” or “the Framework”). ). In this Debevoise Data Blog post, we discuss proposed changes to the Framework and offer takeaways for companies using the Framework for cybersecurity risk assessments.
Last updated in 2018, The framework outlines best practices for reducing cybersecurity risk and has become the standard for assessing cybersecurity maturity for organizations of all sizes. While membership in the CSF is voluntary for most organizations, regulators, insurers, and policymakers have viewed the framework as one way to assess whether an organization has reasonable security in place.
In January 2023, NIST published a design document which details the most significant changes that NIST considered when writing the CSF Framework 2.0 update. The proposed changes to the framework are based on feedback NIST has received from industry and other stakeholders over an extended period of time, including through its RFI Cybersecurity which involved 134 responses and its Workshop on CSF 2.0 which brought together more than 4,000 participants from more than 100 countries. The Concept Paper invites feedback on these proposed changes, as well as the existing framework in general. Comments should be submitted by March 3, 2023 to (email protected). After reviewing feedback on this concept paper and considering insights gained from the workshops, NIST intends to release its draft CSF 2.0 in the coming months for a 90-day public review.
Proposed changes to the CSF
The most significant changes proposed to the framework in the Concept Paper are:
- Extended coverage. The title will likely change from “Framework for Improving Cybersecurity of Critical Infrastructure” to “Cybersecurity Framework”, signaling the CSF’s expansion from addressing critical infrastructure cybersecurity risks to broad application to government organizations , industry and academia, regardless of size, sector or jurisdiction.
- Focus on governance. Perhaps the most significant change proposed to the Framework is the introduction of a “Governance” function, which emphasizes that cybersecurity governance is essential to managing and reducing cybersecurity risk. The current part of the Framework that covers governance would be moved to the new Governance function. Under the proposed amendments, cybersecurity governance may include the following elements:
- determining organizational, customer and societal priorities and risk tolerances;
- cybersecurity risk and impact assessment;
- establishment of cybersecurity policies and procedures; And
- understanding of cybersecurity roles and responsibilities.
According to NIST, these activities are essential for detecting, responding to, and recovering from cybersecurity risks across the organization, as well as overseeing others who conduct cybersecurity activities for the organization. Elevating governance to a CSF function would also help align cybersecurity activities with business risks and legal requirements. A cross-cutting governance function is also consistent with the governance function in the NIST project AI Risk Management Framework and the Privacy Framework.
- Improved guidance on supply chain risks. Respondents to NIST’s Cybersecurity RFI agreed that supply chains and third parties are a major cybersecurity risk. The CSF 2.0 will specify the importance for organizations to identify, assess and manage these risks, which may involve separate assessment and monitoring often handled by stakeholders separate from the internal cybersecurity team. NIST believes that CSF 2.0 should include additional cybersecurity supply chain risk management (“C-SCRM”) outcomes to help organizations address these distinct risks and invites comments on several proposals for improvement. integration of C-SCRM into other aspects of the framework.
Key points to remember
- More accessible: With the new governance feature and increased focus on third parties, the NIST CSF 2.0 is an excellent resource for all departments. The new modules make the framework more accessible and useful to other business functions and management. These proposed changes are timely given that the proposed changes to the NYDFS Cybersecurity Regulations Part 500, CISA Performance Goals And SEC Proposed Rules for Registered Investment Advisers all have significant cybersecurity governance requirements.
- Legal role and compliance: CSF 2.0 (even more than 1.0) identifies a greater role for legal and compliance in managing cybersecurity risks. With the addition of the new module and the focus on third parties, legal and compliance teams should consider mapping CSF 2.0 to applicable regulations. For those working in financial services, the Cyber Risk Institute has already done this work for you by previously adding such modules. Companies can, for example, assess “The profile” developed by the Cyber Risk Institute, which maps regulations to an extended NIST framework. The mapping exercise will bring legal, compliance and information security teams together and allow them to collaborate within the updated framework.
- Risk assessments: The SEC proposed rules for public companies can lead to greater cybersecurity function risk management by senior management and the board of directors by requiring companies to publicly disclose these aspects of cybersecurity governance. THE Proposed Amendments to NYDFS Cybersecurity Rule do the same. With the new modules, the NIST CSF 2.0 will present a very useful framework for performing a risk assessment. Whether carried out in-house or through the use of external vendors who can provide expertise and benchmarking, the results of the risk assessment can form the basis for a board presentation and cybersecurity maturity strategy.