On August 8, 2023, the National Institute of Standards and Technology (NIST) released the initial draft of its Cybersecurity Framework 2.0 and draft Implementation Examples for public comment. This marks the first significant update to the NIST Cybersecurity Framework (“Framework”) since its initial release in 2014, which is intended to address current and future cybersecurity threats of all organizations and to make it easier for organizations to use the Framework. An updated Framework is important given that the Federal Trade Commission (the “FTC”) has routinely relied upon the existing Framework in determining whether a company’s data security practices are reasonable and not unfair or deceptive in violation of Section 5 of the FTC Act.
Previous versions of the Framework, versions 1.0 and 1.1, were designed to assist critical infrastructure entities, such as hospitals and power plants, in enhancing their security and managing cybersecurity risk. The updated Framework 2.0 would expand the scope of the Framework to apply to all organizations, “regardless of its size, sector, or maturity.”
Framework 2.0 would further introduce to its core functions – identify, protect, detect, respond, and recover – a sixth “govern” function that covers how organizations can execute internal decisions to support their cybersecurity strategy. The elements of the core governance strategy include control categories to help organizations understand:
- Organizational Context: including, that organizations should determine internal and external stakeholders and understand the stakeholders’ needs and expectations related to risk management.
- Cybersecurity Supply Chain Risk Management: including that organizations should establish and communicate the cybersecurity roles for suppliers, customers, and partners.
- Roles, Responsibilities and Authorities: including that organizational leadership should be accountable for cybersecurity risk and foster “a culture that is risk-aware, ethical, and continually improving.”
- Policies, Processes and Procedures: including that organizations should update, communicate, and enforce policies, processes, and procedures for managing cybersecurity risks.
- Oversight : including that organizations should review cybersecurity risk management strategy outcomes to “inform and adjust strategy and direction.”
Given the increased regulator focus on cyber governance, the new “Govern” category helps clarify and summarize the components of a successful program.
This updated version also provides guidance on how to implement the Framework, which includes creating and leveraging “Framework Profiles” to identify and create action plans for achieving the organization’s target cybersecurity posture based on organization and industry-specific goals, legal requirements, and best practices. Implementation Examples further provide organizations detailed guidance on implementing the subcategories within each core function.
The public may submit feedback on this latest draft to cyberframework@nist.gov until Friday, November 4, 2023. NIST intends to publish the final version in early 2024 without releasing another draft of the Framework for further comment. Also, NIST announced that it will discuss the updated version at a workshop on September 19-20, 2023, during which the public will have another opportunity to provide feedback. Businesses, particularly those that are (or may be) contractually subject to the existing Framework, should take steps to perform a gap analysis of its security program to evaluate what, if any, adjustments may need to be made to comply with Framework 2.0. Further, doing so may inform comments to be submitted to NIST.
Additional information regarding the NIST Framework 2.0 may be found here: NIST Drafts Major Update to Its Widely Used Cybersecurity Framework. Please contact Alston & Bird’s Privacy, Cyber & Data Strategy Team if you have questions.