What the NIST CSF 2.0 Requirements Mean for Businesses

Building upon learnings over the decade since the framework was first introduced, NIST’s CSF 2.0 emphasizes governance that will encourage organizations to prioritize cybersecurity across all operations.

The outcome of a multi-year process of discussions and public comments, CSF 2.0 aims to make the framework more effective for a broader range of organizations, providing guidance for managing and reducing risks. The core guidance has been updated and includes a suite of resources to help all organizations achieve their cybersecurity goals, with new emphasis on governance and addressing supply chain concerns.

New Emphasis on Governance

A key change is the introduction of the Govern function, which becomes the sixth function of the framework, and sits at the core of the original five – Identify, Protect, Detect, Respond, and Recover. Govern sits intentionally near the center, as it is meant to be a layer of strategic considerations that informs how the other five functions are operationalized and elevates the cybersecurity risk management activities to the executive and board levels of organizations.

Govern addresses the way organizations create, communicate, and maintain their cybersecurity risk management strategy, expectations, and policies, and its intent within the framework is to ensure focus is given to the implementation and oversight of a cybersecurity strategy. This new Govern function requires an organization to “establish and monitor the organization’s cybersecurity risk management strategy, expectations, and policy”.

Guidance within the Govern function on the importance of integrating cybersecurity into an organization’s enterprise risk management corresponds with the recently tightened reporting requirements for cybersecurity incidents from the SEC.

Managing the Supply Chain and Risks from Third Parties

The Govern function also leans into the importance of supply chain management and the role of third parties in an organization’s security, expanding on, and elevating the supply chain risk management outcomes from version 1.1 to play a more prominent role. The increasingly complex and interconnected relationships in an organization’s ecosystem are raising the criticality of this function within a cybersecurity strategy. The cybersecurity supply chain risk management guidance provides a process for managing exposure to cybersecurity risk throughout supply chains and developing appropriate response strategies, policies, processes, and procedures.

CSF 2.0 indicates that organizations should have a supply chain vendor risk management program that is integrated into the overall enterprise risk management, with requirements incorporated into contracts with the suppliers and other third parties. Organizations should conduct due diligence of suppliers and third parties and include key members of their supply chain in incident response training and planning.

Moving Forward

The CSF 2.0 update emphasizes the importance of weaving governance through operations and strategy to operationalize the other functions, including supply chain and third-party risk management in your organization’s overall cybersecurity risk management plan.

If you have any questions about how to navigate the new NIST CSF 2.0 guidelines, please contact us or reach out to your BlueVoyant representative.