Data Security

NIST CSF 2.0 – Some Assembly Required

Published: Apr. 08, 2024

The National Institute of Standards and Technology (NIST) recently finalized its consensus-based cybersecurity framework, often referred to as the “CSF.”  The CSF provides organizational tools for reducing cybersecurity risk and, with the latest revisions, offers new tailored guidance for organizations of all types.  As we discussed previously, regulators, courts, and insurers have increasingly either expressly adopted the CSF or implicitly done so to demonstrate what is “reasonable” organizational cyber security. These developments suggest that organizations that adopt the CSF’s incident response lifecycle will be better prepared to meet the newly published SEC public company material incident reporting requirements

Now that the lengthy comment period and multiple rounds of review have ended, NIST has issued a revised CSF reflecting community feedback, including:

  • Expanded guidance on creating profiles to tailor the CSF to the company’s nature, size, and complexity, along with implementation examples.
  • A series of Quick Start Guides ranging from small businesses all the way to multinational organizations based on the CSF Tiers.
  • An expanded list of “functions” (from five to six), adding “govern” to “identify,” “protect,” “detect,” “respond,” and “recover.” The new “govern” function includes standards for how an organization makes and executes internal decisions to support cybersecurity risk management. 
  • Better alignment of cybersecurity within an organization’s overall enterprise risk management, alongside other legal, financial, and operational risks. 
  • Support for implementing the National Cybersecurity Strategy, including governance and risk management.

Access to these publicly available resources may be found here, with links to the supporting materials such as implementation examples and mapping also available from that page.

While implementing the CSF across your organization is an enterprise-wide project, we recommend engaging outside counsel to help you to map your cyber risks, tie risks to mitigating controls, and develop or mature the “govern” function through updated policies, plans, and tabletop exercises.