Are businesses prepared for the CSF 2.0 challenge?

Unattended computer. Image by © Tim Sandle.

One of the key governing documents for cybersecurity in the U.S. is the NIST Cybersecurity Framework (CSF). This is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology (NIST) based on existing standards, guidelines, and practices. In early 2024, the guidance has been updated.

Version 2.0 of the guidance emphasizes the importance of governance by adding a sixth Core Function to the framework. In addition, Version 2.0 expands the CSF beyond critical infrastructure, promotes secure supply chains, and includes a new suite of additional guidance to assist with implementation.

Many businesses make use the CSF in order to measure their corporate security programs and also to gauge their progress in implementing cybersecurity risk management practices.

With the recent release/update of NIST’s 2.0 cybersecurity framework’s core guidance, Richard Caralli, Senior Cybersecurity Advisor, Axio, has explained to Digital Journal about the most important points.

Caralli  begins by outlining what the scope of the document is and the degree to which it has changed: “While CSF v2 is an advancement of the framework based on broad industry usage, its primary updates focus on highlighting the role of governance as an important cybersecurity activity and acknowledging the growing challenges of third-party risk management.”

It is important for businesses to consider the key aspects and to put in place appropriate structures, says Caralli: “Governance is becoming imperative as organizations realize the need for proper senior management and Board oversight, and this update aligns well with the SEC’s recent cybersecurity rulings that more prominently involve better organizational oversight.”

The challenges facing businesses are becoming greater, especially as global supply chains become ever more complex. This leads Caralli to observe: “The expansion of the third-party risk management (or supply chain risk management) content is a tacit acknowledgement that many organizations now find their circle of trust expanding due to the use of Internet-and Cloud-based technologies. The increased dependence on external partners as an essential player in a teamwork-based approach to cybersecurity is paramount as this transition occurs.”

To meet the new requirements, Caralli thinks that “organizations adopting v2 have some work to do. Existing assessments and reliance on v1 for program execution means that organizations must cast their programs and assessment results in a new framework.”

Not ever business will be compliant: “This may mean that new gap areas emerge that previously may not have been present. Moreover, if CSF has been used as the basis for Board reporting and program success, casting program accomplishments in v2 may require some adjustments and supporting explanations at the next Board meeting or in senior management updates.”