by Avi Gesser, Erez Liebermann, Michael R. Roberts, HJ Brehmer, and Annabella M. Waszkiewicz
On February 26, 2024, the National Institute of Standards and Technology (“NIST”) announced the release of Version 2.0 of the Cybersecurity Framework (“Version 2.0” or the “Framework”). We previously wrote about proposed changes to the Framework, which has become an important industry standard for assessing cybersecurity maturity of organizations and managing cybersecurity risk. Version 2.0’s enhanced guidance, and particularly its additional governance section, should be interesting to counsel as a helpful tool for mapping to new legal requirements from regulators such as the Securities and Exchange Commission (“SEC”), New York Department of Financial Services (“NYDFS”), and the Commodity Futures Trading Commission (“CFTC”).
This is the first significant update since the Framework’s creation in 2014. The Framework’s core is organized into six key functions: Identify, Protect, Detect, Respond, Recover, and the newly added Govern function. NIST has also created a Version 2.0 Resource Center that includes quick start guides, profiles, and informative references (mappings) for companies to review as they review and assess their programs. Although the Framework is a voluntary risk management framework, regulators, insurers, and policymakers have leveraged it to assess organizations’ security measures.
In this post, we discuss the major changes in Version 2.0 and its potential impact for companies that rely on the Framework for maturity benchmarking and cybersecurity risk assessments.
Major Changes to the CSF
The most significant changes reflected in Version 2.0 of the Framework include:
- Expanded Coverage. The Framework’s title has been changed from “Framework for Improving Critical Infrastructure Cybersecurity” to “Cybersecurity Framework,” consistent with the Framework’s already widespread use and signaling the intent to expand the Framework beyond the cybersecurity risks applicable to critical infrastructure. Version 2.0 applies to organizations of “all sizes and sectors,” including industry, government, academic, and nonprofit.
- Spotlight on Governance. The new “Govern” function in Version 2.0 highlights the importance of governance activities in the inclusion of cybersecurity into organizations’ broader enterprise risk management strategies. With respect to governance issues, Version 2.0 primarily focuses on (i) understanding organizational context; (ii) establishment of cybersecurity strategy and cybersecurity supply chain risk management; (iii) roles, responsibilities, and authorities; (iv) policy; and (v) oversight of cybersecurity strategy.
Several key, net-new items in the “Govern” function are particularly worthy of mention. For example, in the “Risk Management Strategy” category, one subcategory indicates that cybersecurity risk management activities and outcomes should be included in enterprise risk management processes while another encourages companies to establish and communicate a “standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks.” Taken together, these new items suggest an increased expectation that companies are documenting and discussing cybersecurity risks more comprehensively.
Relatedly, the “Roles, Responsibilities, and Authorities” category notably declares that “organizational leadership is responsible and accountable for cybersecurity risk.” More specifically, one of the implementation examples specifically highlights the role of the board of directors, exemplifying a broader expectation that senior leadership at the highest level has a role in managing cybersecurity risk throughout the organization. We have written about this broader expectation of executive engagement in various contexts, including the new SEC cybersecurity rules for issuers as well as the final amendments to the NYDFS cybersecurity rules. The Federal Trade Commission also considers NIST to be a key standard for companies’ cybersecurity posture.
Version 2.0’s focus on governance further promotes alignment of cybersecurity activities with enterprise risks and legal requirements. The Govern function is also consistent with the Govern function in NIST’s draft AI Risk Management Framework and the Privacy Framework.
- Enhanced Guidance on Supply Chain Risks. Version 2.0 emphasizes the “complex, globally distributed, extensive, and interconnected supply chain ecosystem” in which many organizations operate alongside various stakeholders. Against this backdrop, Version 2.0 discusses the importance of supply chain risk management (“SCRM”) and cybersecurity SCRM (“C-SCRM”) and groups outcomes related to these issues under its new “Govern” function. This increased focus on supply chain risks and its inclusion in the “Govern” function, underscores NIST’s focus on incorporating key cybersecurity risks into broader, enterprise-level decision-making.
- Heightened Focus on Internal Reviews. Several items demonstrate NIST’s focus on how to handle results following internal reviews, an issue which directly intersects with the above discussion regarding increased documentation of risks. For example, the “Risk Assessment” category encourages companies to choose, prioritize, plan, track, and communicate risk responses, while the “Improvement” category indicates that companies should identify improvements from security tests, exercises, and the execution of operational processes, procedures, and activities. Examples accompanying the “Improvement” category reference annual review of cybersecurity policies and procedures, reflecting regulators’ increased expectation that companies regularly review their cybersecurity policies and incorporate the results of those reviews into their broader security programs.
- Expanded Online Resources. Version 2.0 also references three supplemental online resources meant to help organizations understand, adopt, and utilize the Framework. To assist organizations with their maturity journey, NIST offers Quick Start Guides (“QSGs”) that are part of an expanding collection of its online resources meant to complement the CSF and provide additional guidance. Alongside the QSGs, NIST provides Implementation Examples and Informative References that provide potential ways to achieve each outcome and highlight sources of guidance. NIST also published Organizational Profiles to help “organizations to compare where they are versus where they want or need to be” to maximize implementation and assessment of security controls.
Key Takeaways
- Benchmark for Regulatory Expectations. The SEC and FTC, among other regulators, have historically leveraged the Framework in measuring expectations for regulated entities. While the Framework is voluntary, it is likely that regulators will begin to assess entities’ cybersecurity compliance posture against the updated Framework outlined in Version 2.0 and its associated resources. This is especially likely given the alignment between Version 2.0’s guidance and the priorities in the SEC and NYDFS cybersecurity rules, as well as other regulations such as the CFTC’s proposed rulemaking for operational resilience. Version 2.0’s new Govern function emphasizes the importance of understanding and managing legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, and Legal and Compliance departments will benefit from mapping the Framework against such requirements. To the extent that such mapping identifies areas for enhancement, NIST’s new Implementation Examples will equip organizations to more effectively and efficiently apply Version 2.0 of the Framework. As companies conduct assessments leveraging Version 2.0, companies should consider reviewing the Implementation Examples and assess the extent to which their policies and procedures align.
- Increased Expectation of Documentation around Risk. Version 2.0’s new Govern function suggests an increased expectation for companies to document risk, presenting important regulatory and litigation issues for companies to consider as they determine the best way to maintain records of cybersecurity-related risks. These updates therefore highlight the ever-increasing role of companies’ Legal and Compliance departments in managing and mitigating cybersecurity risks. Legal and Compliance departments should be engaged before any such documentation is created in order to ensure that cybersecurity risks are documented in a manner consistent with the company’s regulatory and litigation risk. Even when a risk assessment or penetration test is not conducted under privilege, Legal and Compliance play a key role in proactively mitigating scrutiny that a company may receive following a future cybersecurity incident.
- Mapping against Established Frameworks. Companies mapping to other cybersecurity frameworks, such as the Cyber Risk Institute (“CRI”) Profile, may want to consider potential overlaps with Version 2.0. NIST and the creators of peer assessment frameworks have helpfully released mapping tools detailing where there is considerable overlap between Version 2.0 and other commonly leveraged frameworks. Companies that rely on the CRI Profile, for example, may already be aligned with many of Version 2.0’s requirements. There are differences between other frameworks and Version 2.0, so companies should consider evaluating any overlap and, as needed, supplementing their policies and procedures to account for any net new or key items of Version 2.0.
- Public Disclosures, Statements, and Marketing Materials. Version 2.0’s potential regulatory implications stress the importance of ensuring that public-facing statements align with an organization’s actions taken with respect to cybersecurity. Companies should ensure that when outward-facing disclosures or statements are made, it is clear that those communications are fully substantiated. Regulators have, and likely will continue to, assess companies’ public disclosures and statements regarding alignment or compliance with industry standards (e.g., the Framework) and whether those companies have followed through with their assertions.
Avi Gesser and Erez Liebermann are Partners, Michael R. Roberts and HJ Brehmer are Associates, and Annabella M. Waszkiewicz is a Law Clerk at Debevoise & Plimpton LLP.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).