September 18, 2023 By Sue Poremba 4 min read

The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines.

The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to build risk management strategies.

When used as a risk management resource, the CSF can be applied in the context of the National Cybersecurity Strategy’s five pillars, Pascoe said. Those pillars are:

  • Defend critical infrastructure
  • Disrupt and dismantle threat actors
  • Shape market forces to drive security and resilience
  • Invest in a resilient future
  • Forge international partnerships to pursue shared goals.

One of the main goals of CSF is to allow organizations to build their cybersecurity strategy by identifying risk and improving the process of risk management. The updated framework will emphasize improved risk management — crucial in the modern cybersecurity landscape.

Governance Function

The original CSF has five functions: identify, protect, detect, respond and recover. CSF 2.0 will add a sixth function: govern.

This one function elevates the importance cybersecurity risk management plays in business and compliance outcomes. The governance function will focus on policies and procedures and security team roles and responsibilities. The desired outcome is for organizations to assess and prioritize risk based on policies and then define the responsibilities of team members in addressing potential threats.

The govern function includes a section focused primarily on risk management. Whereas in previous versions of the CSF, risk management was covered under a different function (identify), it is now covered more entirely under the govern function with its own subcategory. The discussion draft version of CSF 2.0 lists the following directives:

  • GV.RM-01: Cybersecurity risk management objectives are established and agreed to by organizational stakeholders.
  • GV.RM-02: Cybersecurity supply chain risk management strategy is established, agreed to by organizational stakeholders and managed.
  • GV.RM-03: Risk appetite and risk tolerance statements are determined and communicated based on the organization’s business environment.
  • GV.RM-04: Cybersecurity risk management is considered part of enterprise risk management.
  • GV.RM-05: Strategic direction describing appropriate risk response options, including cybersecurity risk transfer mechanisms (e.g., insurance, outsourcing), investment in mitigations and risk acceptance, is established and communicated.
  • GV.RM-06: Responsibility and accountability are determined and communicated for ensuring that the risk management strategy and program are resourced, implemented, assessed and maintained.
  • GV.RM-07: Risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks.
  • GV.RM-08: Effectiveness and adequacy of cybersecurity risk management strategy and
    results are assessed and reviewed by organizational leaders.

GV.RM-05 through 08 are new additions to CSF 2.0, created for this new function.

Leadership

Well-defined leadership roles go hand-in-hand with the governance function. Under its roles and responsibilities section, standard GV.RR-01 states, “Organizational leadership takes responsibility for decisions associated with cybersecurity risks and establishes a culture that is risk-aware, behaves in an ethical manner and promotes continuous improvement.”

Learn more on cyber risk management

Supply Chain

The supply chain and its security risk have been a hot topic for a while. A few years ago, NIST added guidelines around supply chain security to the CSF. In CSF 2.0, the guidelines will be expanded to cover supply chain risk management. This follows other government initiatives to add more security to the supply chain. Although the CSF hasn’t offered specific parameters for risk management of the supply chain, different scenarios will likely provide examples of risks and functions designed to address threats.

Risk Management Tiers

These probable changes and updates to CSF will enhance the four framework implementation tiers, which NIST defines as “a lens through which to view the characteristics of an organization’s approach to risk — how an organization views cybersecurity risk and the processes in place to manage that risk.”

The tiers cover four different levels of an organization’s risk management program: partial, risk-informed, repeatable and adaptive. The tiers measure how the organization integrates its decisions around cybersecurity risk into overall business risks. The framework implementation also looks at how the company shares risk information with third parties.

Organizations self-govern their risk management journey. They determine the tier that best fits the current risk governance levels that meet business goals. However, these tiers aren’t just a definition of cybersecurity maturity. Rather, they allow the company to take a broader view of its overall cybersecurity risk tolerance. As the organization follows the framework, it can build a risk profile and develop a target profile to strive for.

How Will CSF 2.0 Continue to Evolve?

The updated CSF 2.0 puts a stronger emphasis on risk management. By emphasizing supply chain risk and security, it also follows guidelines released by other areas of the federal government. On the surface, it looks like there is finally cohesiveness in the U.S.’s cybersecurity approach, particularly carving a niche for cybersecurity risk management across government agencies and private industries.

This doesn’t mean that CSF 2.0 is perfect. There are risk areas that still need attention, such as the governance of remote work. Risk management standards aren’t designed to address fully remote or hybrid workforces.

And just as CSF 2.0 has recognized that supply chain security is adding higher levels of risk to organizations, it needs to step up to address the burgeoning threats from artificial intelligence, specifically generative AI. Generative AI exploded onto the scene after the CSF 2.0 process was well underway; now, it is impossible to ignore.

Perhaps it is too late to provide clear guidance around AI’s potential risk and offer a security framework, but it can’t be set aside for too long. The threat potential is looming, and organizations will soon be looking for guidelines on how to manage risks introduced by this new technology.

More from Government

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today