The National Institute of Standards and Technology (“NIST”) has released a Concept Paper document setting out significant updates to its Cybersecurity Framework (“CSF”). First released in 2014 (and now styled “CSF 1.0”), the CSF is designed to assist organizations with understanding “the characteristics of their approach to managing cybersecurity risk” by identifying risk tolerances and business requirements in order to achieve cybersecurity objectives. The CSF was updated in 2018 (“CSF 1.1”) and, through its Concept Paper, NIST is conducting a comprehensive review to update and establish “CSF 2.0”.
The Canadian Centre for Cyber Security (“CCCS”)—the Government of Canada’s single, unified source of expert advice and support on cyber security for critical infrastructure operations and the private sector—recommends the CSF as one potential mechanism to enhance organizational cyber security. In its “path to enterprise security”, the CCCS notes that the CSF is widely adopted by Canadian industry and certain IT outsourcing customers look for CSF compliance among the panoply of industry-recognized cybersecurity frameworks that can be used to build a robust information security program.
CSF 2.0 Concept Paper – Potential Significant Updates to the Framework
The Concept Paper outlines potential significant updates to the CSF, and NIST suggests that some of the proposals are “larger structural changes that may impact compatibility” with the current version of the framework. Noting that the development of CSF 2.0 is “iterative”, NIST has been gathering private and public sector input since a Request for Information release in early 2022 and the Concept Paper is based on the input generated thus far. The Concept Paper does not necessarily cover all issues that may be updated through CSF 2.0.
Potential significant updates discussed in the Concept Paper include:
- Section 1: Change the CSF’s title and text to reflect its intended use by all organizations – CSF was originally designed with a focus on “critical infrastructure” cybersecurity risks, but has experienced use by a much broader range of organizations since its inception. NIST is proposing changes to reflect this wider-use “by all organizations”.
- Section 3: Updated and expanded guidance on Framework implementation – CSF 2.0 will include “more straightforward, more general descriptions of the Framework’s key components… [as well as] linkages and mappings to specific cybersecurity guidance from NIST and other organizations.” This may also include adding “implementation examples for CSF subcategories” to provide “notional implementation examples of concise, action-oriented processes and activities to help achieve the outcomes.”
- Section 4: Adding a new “Govern Function” – NIST proposes expanding the five functions of “identifying, protecting, detecting, responding, and recovering” across an organization, including within the supply chain of an organization, to add a new “Govern” function. Emphasis on the importance of cybersecurity governance may include “determination of priorities and risk tolerances of the organization, customers, and larger society; assessment of cybersecurity risks and impacts; establishment of cybersecurity policies and procedures; and understanding of cybersecurity roles and responsibilities.”
- Section 5: Emphasizing the Importance of Cybersecurity Supply Chain Risk Management – NIST notes that managing supply chain risks was a focal point of prior updates and, since that time, “even more attention has been paid to developing guidance to increase trust and assurance in technology products and services. As a result, it intends to “make clear the importance of organizations identifying, assessing, and managing both first and third-party risks” by including new supply chain risk management outcomes.
- Section 6: Examples of measurement and assessment – Noting that measurement of outcomes varies based on organizational context, NIST states there is “no single approach to measure and assess implementation of the CSF…” Examples of measurement and assessment questions offered in the Concept Paper include: “What is the best way to communicate organizational cybersecurity posture to non-cybersecurity audiences?” and “How does an organization understand its cybersecurity posture across the organization, aggregating across systems?”
An Opportunity for All Organizations
The importance of the forthcoming CSF 2.0 cannot be overstated. Cybersecurity represents one of the most significant enterprise risks facing organizations. As cybersecurity standards and frameworks are often used as a measure of whether organizations have complied with legal obligations to safeguard data (e.g. pursuant to data protection law), or fulfilled their duty of care to protect information, the forthcoming CSF 2.0 will also affect legal risk exposure for organizations.
Organizations that are seeking to make further strides toward greater enterprise security or to otherwise leverage the CSF as an industry standard have an opportunity to influence the direction of this important and influential framework. Organizations that contract or subcontract with public entities in Canada (particularly the federal government) will be interested in this process, as many public sector entities require their contractors and subcontractors to be NIST compliant.
NIST is seeking feedback on its Concept Paper by March 3, 2023.
In the months that follow the consultation period, NIST will publish a draft Cybersecurity Framework 2.0 for public review. NIST will also be organizing a virtual workshop consultation on Cybersecurity CSF 2.0 to take place on February 15, 2023.
Fasken’s Information Technology and Privacy and Cybersecurity groups will continue to monitor and provide updates on the development of the CSF and other important cybersecurity standards and frameworks.