The NIST Cybersecurity Framework (CSF) has been updated after ten years. NIST CSF 2.0 brings new additions to the table, such as an expanded mission to serve all industries (not just critical infrastructure) and a sixth Framework: Govern. Find out the new requirements and what critical infrastructure agencies and others are required to do.

Recently, NIST expanded its decade-old cybersecurity framework (CSF) to focus on protecting organizations of all sectors, not just critical infrastructure. While the newly broadened framework now extends to industries like finance, retail, and food services, global version 2.0 additions like governance and supply chain risk management still demand new action from old critical infrastructure agencies – so don’t get too comfortable.

Meet the New Govern Function

“I think the big focus in 2.0 is promoting governance to a function,” noted Padraic O’Reilly, founder and chief innovation officer of CyberSaint, to CSO. “I think there’s an understanding now, and it’s pretty common across cybersecurity, that if governance is not actively involved, you’re just spinning your wheels.”

NIST 2.0 significantly adds Governance to its original five key functions, making six on the whole:

  1. Identify
  2. Protect
  3. Detect
  4. Respond
  5. Recover
  6. Govern

NIST 2.0 Changes

According to the new edition, Governance activities are a crucial part of incorporating cybersecurity into an organization’s overall enterprise risk management strategy, which is the goal. Per the document, the function breaks down into six additional categories:

  1. An understanding of the organizational context
  2. The establishment of a risk management strategy
  3. The establishment of cybersecurity supply chain risk management
  4. Roles, responsibilities, and authorities
  5. Policy
  6. The oversight of strategy

As the document states, “GOVERN is in the center of the wheel because it informs how an organization will implement the other five Functions.”

NIST 2.0 Requirements

The expectation under “Govern” is that the organization’s “cybersecurity risk management strategy, expectations, and policy” are “established, communicated, and monitored.” In the context of its six categories, that means:

  1. Understanding what’s at risk | The circumstances surrounding risk management decisions must be understood (I.e., mission, stakeholders, dependencies, and legal requirements).
  2. Knowing the risk tolerance | The company’s risk appetite and tolerance are understood and play a part in risk management decisions (unpatched vulnerabilities, Shadow IT, etc.).
  3. Making sure everyone understands their role | All roles pertaining to facilitating and improving the overall cybersecurity strategy are expressed and understood.
  4. Establishing policy | Now, policies are put in place, communicated, and enforced.
  5. Creating a feedback loop | Past performance of risk management activities is used to improve upon future strategy.
  6. Watching the supply chain | Processes for managing supply chain risk are established, tracked, and optimized over time.

A Step Forward for Supply Chain

As O’Reilly stated to CSO, “[Supply chain]’s a mess because it’s complex. I think they’re pulling some of the supply chain under governance because more needs to be done to manage it from the top. Because right now, you have some practices that are halfway decent but are only capturing about maybe half of the issue.”

NIST 2.0 Changes

While most improvements to the protection of the supply chain are housed under the Govern function, the additional callouts highlight a turning point in industry-wide awareness and urgency. However, CSO notes that including such a key cybersecurity issue in such a secondary way “is only one step in the right direction.”

NIST 2.0 Requirements

Diving deeper into the document, the supply chain provisions, as specified under the sixth category of Govern, include establishing a supply chain risk management process, which consists of:

  1. Establishing the terms | Establish and agree upon the strategy, objectives, policies, and procedures of the supply chain risk management process.
  2. Communicating roles and responsibilities | Each supplier, customer, and partner has a role to play and must know it and coordinate their ability to perform it.
  3. Integrating into the overall cybersecurity strategy | Now, supply chain risk management needs to become part of the overall enterprise risk management process.
  4. Identifying at-risk suppliers | Suppliers are known and organized by criticality.
  5. Accountability in writing | Requirements to address security problems with third parties are integrated into contracts and agreements.
  6. Due diligence | Security planning and due diligence are conducted prior to entering into formal supplier relationships.
  7. Monitoring third-party risks | Any supplier risks are recorded, prioritized, and monitored for the duration of the contract.
  8. Including the third-party security team | The suppliers’ security teams and stakeholders are included in incident response planning and activities.
  9. Sewing in supply chain security | Supply chain security practices are finally integrated into the overall enterprise risk management strategy and monitored throughout the lifecycle of the third-party service.
  10. The exit strategy| Plans are made for security activities to be performed at the duration of the supplier contract.

The Takeaway

In addition to its strict emphasis on supply chain security, this newly released 2.0 edition establishes guidelines that communicate in no uncertain terms: the time has come for cybersecurity to move to the forefront of all industries, all key stakeholders, and all enterprise risk management strategies.

ITEGRITI has deep experience across critical infrastructure cybersecurity programs, compliance, risk, and audit. Contact us today to learn how we can leverage this experience to help you accomplish your cybersecurity goals.

Contact Us:

ITEGRITI Services: