September 18, 2023 By Sue Poremba 4 min read

The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines.

The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to build risk management strategies.

When used as a risk management resource, the CSF can be applied in the context of the National Cybersecurity Strategy’s five pillars, Pascoe said. Those pillars are:

  • Defend critical infrastructure
  • Disrupt and dismantle threat actors
  • Shape market forces to drive security and resilience
  • Invest in a resilient future
  • Forge international partnerships to pursue shared goals.

One of the main goals of CSF is to allow organizations to build their cybersecurity strategy by identifying risk and improving the process of risk management. The updated framework will emphasize improved risk management — crucial in the modern cybersecurity landscape.

Governance Function

The original CSF has five functions: identify, protect, detect, respond and recover. CSF 2.0 will add a sixth function: govern.

This one function elevates the importance cybersecurity risk management plays in business and compliance outcomes. The governance function will focus on policies and procedures and security team roles and responsibilities. The desired outcome is for organizations to assess and prioritize risk based on policies and then define the responsibilities of team members in addressing potential threats.

The govern function includes a section focused primarily on risk management. Whereas in previous versions of the CSF, risk management was covered under a different function (identify), it is now covered more entirely under the govern function with its own subcategory. The discussion draft version of CSF 2.0 lists the following directives:

  • GV.RM-01: Cybersecurity risk management objectives are established and agreed to by organizational stakeholders.
  • GV.RM-02: Cybersecurity supply chain risk management strategy is established, agreed to by organizational stakeholders and managed.
  • GV.RM-03: Risk appetite and risk tolerance statements are determined and communicated based on the organization’s business environment.
  • GV.RM-04: Cybersecurity risk management is considered part of enterprise risk management.
  • GV.RM-05: Strategic direction describing appropriate risk response options, including cybersecurity risk transfer mechanisms (e.g., insurance, outsourcing), investment in mitigations and risk acceptance, is established and communicated.
  • GV.RM-06: Responsibility and accountability are determined and communicated for ensuring that the risk management strategy and program are resourced, implemented, assessed and maintained.
  • GV.RM-07: Risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks.
  • GV.RM-08: Effectiveness and adequacy of cybersecurity risk management strategy and
    results are assessed and reviewed by organizational leaders.

GV.RM-05 through 08 are new additions to CSF 2.0, created for this new function.

Leadership

Well-defined leadership roles go hand-in-hand with the governance function. Under its roles and responsibilities section, standard GV.RR-01 states, “Organizational leadership takes responsibility for decisions associated with cybersecurity risks and establishes a culture that is risk-aware, behaves in an ethical manner and promotes continuous improvement.”

Learn more on cyber risk management

Supply Chain

The supply chain and its security risk have been a hot topic for a while. A few years ago, NIST added guidelines around supply chain security to the CSF. In CSF 2.0, the guidelines will be expanded to cover supply chain risk management. This follows other government initiatives to add more security to the supply chain. Although the CSF hasn’t offered specific parameters for risk management of the supply chain, different scenarios will likely provide examples of risks and functions designed to address threats.

Risk Management Tiers

These probable changes and updates to CSF will enhance the four framework implementation tiers, which NIST defines as “a lens through which to view the characteristics of an organization’s approach to risk — how an organization views cybersecurity risk and the processes in place to manage that risk.”

The tiers cover four different levels of an organization’s risk management program: partial, risk-informed, repeatable and adaptive. The tiers measure how the organization integrates its decisions around cybersecurity risk into overall business risks. The framework implementation also looks at how the company shares risk information with third parties.

Organizations self-govern their risk management journey. They determine the tier that best fits the current risk governance levels that meet business goals. However, these tiers aren’t just a definition of cybersecurity maturity. Rather, they allow the company to take a broader view of its overall cybersecurity risk tolerance. As the organization follows the framework, it can build a risk profile and develop a target profile to strive for.

How Will CSF 2.0 Continue to Evolve?

The updated CSF 2.0 puts a stronger emphasis on risk management. By emphasizing supply chain risk and security, it also follows guidelines released by other areas of the federal government. On the surface, it looks like there is finally cohesiveness in the U.S.’s cybersecurity approach, particularly carving a niche for cybersecurity risk management across government agencies and private industries.

This doesn’t mean that CSF 2.0 is perfect. There are risk areas that still need attention, such as the governance of remote work. Risk management standards aren’t designed to address fully remote or hybrid workforces.

And just as CSF 2.0 has recognized that supply chain security is adding higher levels of risk to organizations, it needs to step up to address the burgeoning threats from artificial intelligence, specifically generative AI. Generative AI exploded onto the scene after the CSF 2.0 process was well underway; now, it is impossible to ignore.

Perhaps it is too late to provide clear guidance around AI’s potential risk and offer a security framework, but it can’t be set aside for too long. The threat potential is looming, and organizations will soon be looking for guidelines on how to manage risks introduced by this new technology.

More from Government

Updated SBOM guidance: A new era for software transparency?

3 min read - The cost of cyberattacks on software supply chains is a growing problem, with the average data breach costing $4.45 million in 2023. Since President Biden’s 2021 executive order, software bills of materials (SBOMs) have become a cornerstone in protecting supply chains.In December 2023, the National Security Agency (NSA) published new guidance to help organizations incorporate SBOMs and combat the threat of supply chain attacks.Let’s look at how things have developed since Biden’s 2021 order and what these updates mean for…

Roundup: Federal action that shaped cybersecurity in 2023

3 min read - As 2023 draws to a close, it’s time to look back on our top five federal cyber stories of the year: a compilation of pivotal moments and key developments that have significantly shaped the landscape of cybersecurity at the federal level.These stories highlight the challenges federal agencies faced in securing digital infrastructure in the past year and explore the evolving nature of cyber threats, as well as the innovative responses required to address them.New White House cybersecurity strategyThe White House’s…

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today