August 2023, the National Institute of Standards and Technology ("NIST") released the initial public draft of its highly anticipated Cybersecurity Framework ("CSF"). First released in 2014 (and now referred to as "CSF 1.0"), the CSF assists organizations with understanding "the characteristics of their approach to managing cybersecurity risk" by identifying risk tolerances and business requirements in order to achieve cybersecurity objectives. Now, seven months after releasing a Concept Paper document outlining proposed updates, NIST has released a "Draft CSF 2.0" that is the culmination of a comprehensive review and implementation of more than a year's worth of community feedback. A final CSF 2.0 is slated to be published in the first half of 2024.
Draft CSF 2.0– Expansion of Scope and Emphasis on Organizational Governance and Risk Management
Three of the most notable updates contained in Draft CSF 2.0 include:
- Expanded Scope: Draft CSF 2.0 is no longer focused primarily on the protection of "critical infrastructure" in the United States, indicating that the framework has expanded to provide cybersecurity guidance to all organizations regardless of type or size, as well as to reflect the broad and international use of the framework, including in Canada.
- Emphasis on Organizational Governance: CSF 1.0 described the main pillars of a successful and complete cybersecurity program using five main functions: identify, protect, detect, respond and recover. Draft CSF 2.0 adds a sixth "govern" function, which covers how an organization can make and execute its own internal decisions to support its cybersecurity strategy. Draft CSF 2.0 emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial and other risks as considerations for senior leadership. Draft CSF 2.0 states that vigilance by leadership requires: "determination of priorities and risk tolerances of the organization, customers, and larger society; assessment of cybersecurity risks and impacts; establishment of cybersecurity policies and procedures; and understanding of cybersecurity roles and responsibilities."
- Managing Organizational Supply Chain Risk: In recognition of the fact that it is increasingly important that organizations develop capabilities and implement practices to identify, assess, and respond to cybersecurity risks throughout the supply chain, Draft CSF 2.0 contains a new section 3.5 that is dedicated to the concept of Cybersecurity Supply Chain Risk Management ("C-SCRM"), which it describes as a "systematic process for managing exposure to cybersecurity risk throughout supply chains and developing appropriate response strategies, policies, processes, and procedures." Draft CSF 2.0 states that the primary objective of C-SCRM is "to extend appropriate first-party cybersecurity risk management considerations to third parties, supply chains, and products and services an organization acquires, based on supplier criticality and risk assessment."
The Significance for Organizations Seeking to Fortify or Enhance their Cybersecurity Practices
The ever-expanding value of data as a commercial asset means organizations will face increasing threats and risks to cybersecurity and consequently, legal and financial exposure. As recently reported by the Canadian Centre for Cyber Security, organized cybercrime poses one of the greatest threats to Canada's national security and economic prosperity and, in the next few years, financially-motivated cybercriminals "will almost certainly continue to target [data of] high-value organizations in critical infrastructure sectors in Canada and around the world."
Canadian organizations already use the CSF to map out cybersecurity standards and incorporate them into contracts with suppliers, as well as to provide a common language to communicate requirements to suppliers. Cybersecurity principles in Draft CSF 2.0 will assist Canadian organizations—both inside and outside of critical infrastructure sectors—by offering roadmaps to reduce cyber risks and ensure that legal and regulatory obligations to protect data are fulfilled. An organization's cybersecurity needs depend on internal and external factors, and organizations focused on meeting industry standards will increasingly require contractors' and sub-contractors' cybersecurity policies and procedures to align with the CSF.
Significantly, organizations engaged through contracts or subcontracts with the federal government) should be familiarizing themselves with this process given the requirement in many federal contracts for contractors and subcontractors to be NIST-compliant.
Next steps – NIST Accepts Feedback on Draft CSF 2.0
Organizations that already rely on the CSF as part of their cybersecurity program, or are seeking to enhance their cybersecurity or considering the adoption of CSF due to sectoral/industry requirements or expectations, have the opportunity to help advance the direction of this significant and influential framework. Stakeholder commentary on the CSF 2.0 draft framework will be accepted by NIST until November 4, 2023, with plans to publish the final version of CSF 2.0 in 2024.
Fasken's Information Technology and Privacy and Cybersecurity groups are actively monitoring and providing insights on the development of the CSF, as well as other relevant cybersecurity standards and frameworks.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.