United States: NIST Releases Cybersecurity Framework Version 2.0

On August 8, 2023, the National Institute of Standards and Technology ("NIST") released a draft of The NIST Cybersecurity Framework (CSF) 2.0,¹ (the "CSF" or "Framework") along with a Discussion Draft of the Implementation Examples.² This draft makes the most significant changes to the Framework since its initial release in 2014. It follows more than a year's worth of community feedback, with NIST issuing the first request for information on the CSF in February 2022 and a concept paper regarding potential changes in January 2023.³ Both drafts are open for public comment until November 4, 2023. NIST announced that it plans to publish the final version in early 2024, without releasing another version for public comment.

Version 1.0 and Version 1.1 (2018) of the CSF were intended to provide critical infrastructure entities a standardized tool for managing cybersecurity risk. Version 2.0 broadens the scope of the CSF by focusing on all organizations, not just those operating in critical sectors. Indeed, "Critical Infrastructure" is dropped from the title of Version 2.0, consistent with the existing use of the CSF by companies and other entities across sectors. This updated version is designed instead to be used by organizations of all sizes, sectors, and geographical locations to help guide their cybersecurity-related decisions, "everywhere from schools and small businesses to local and foreign governments."⁴ To support this broad use, the CSF 2.0 introduces "Implementation Examples" to provide "concise, action-oriented steps" to help achieve particular outcomes in light of its guidance.⁵ These Implementation Examples set out sample situations that could help an entity achieve the CSF 2.0 objectives. Under the various functions, the Implementation Examples list actions that an organization can take and concrete methods of implementation for each of those actions.

In addition, the CSF 2.0 emphasizes the role of governance in a cybersecurity program by elevating it to one of the six main "pillars" of the Framework. (The original five pillars, or core functions, to help direct cybersecurity outcomes, were (1) identify, (2) protect, (3) detect, (4) respond, and (5) recover.) Although CSF 1.1 contained guidance on governance, CSF 2.0 goes into further depth on processes for establishing, communicating, and evaluating the organization's cyber risk management strategy, including identifying roles and responsibilities as well as maintaining appropriate policies, processes, and procedures for managing cybersecurity risk.

As part of the "govern" function, the CSF 2.0 highlights the importance of supply chain risk management. The CSF 2.0 recommends that organizations establish a comprehensive supply chain risk management program that includes supplier due diligence, prioritization by criticality, considerations in the organization's overall risk assessment and management strategies, and other steps to evaluate and monitor third-party risk.

CSF 2.0 also includes additional implementation guidance on the creation and use of "Framework Profiles" to help tailor cybersecurity priorities for specific sectors and use cases. An organization can develop or leverage NIST's example Framework Profiles, which map the Framework to particular concerns in an industry or functional area and identify opportunities to improve an organization's cybersecurity posture based on these key issues. The CSF 2.0 lists a step-by-step process for organizations to create and use Framework Profiles to help inform their cybersecurity strategy.

Contractors and subcontractors performing work for the federal government generally must be compliant with the CSF and other NIST cybersecurity standards, as those standards are routinely incorporated into federal contracts and grants.⁶ Others in the private sector have been encouraged or required to adopt the NIST Framework to meet regulatory expectations or satisfy contractual obligations. Even though it is only voluntary for many in the private sector, the Framework has effectively become an industry standard for evaluating a cybersecurity program. Accordingly, companies across sectors would be wise to compare their current cyber risk management program against CSF 2.0-and they may wish to get ahead of the curve now, by beginning a comparison with this draft version. Interested stakeholders may also consider submitting comments before the November 4, 2023 deadline.

Footnotes

1. National Institute of Standards and Technology, Public Draft: The NIST Cybersecurity Framework 2.0 (August 8, 2023).

2. National Institute of Standards and Technology, Public Draft: Implementation Examples for the NIST Cybersecurity Framework 2.0 (August 8, 2023).

3. National Institute of Standards and Technology, Cybersecurity RFI (Feb. 22, 2022); National Institute of Standards and Technology, NIST Cybersecurity Framework 2.0 Concept Paper (Jan. 19, 2023).

4. NIST Drafts Major Update to Its Widely Used Cybersecurity Framework | NIST.

5. National Institute of Standards and Technology, Public Draft: The NIST Cybersecurity Framework 2.0 (August 8, 2023).

6. See also NIST Special Publication 800-171 rev. 2 (Feb. 2020) ("The security requirements apply to the components of nonfederal systems that process, store, or transmit [Controlled Unclassified Information], or that provide security protection for such components.")

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2023. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.