The NIST Cybersecurity Framework (CSF) version 2.0, set to be released this year, adds a new Govern function to the CSF core. The five functions that currently form the core of the Framework are Identify, Protect, Detect, Respond and Recover.
The New Govern Function in NIST CSF 2.0
In version 1.1 of the Framework, governance-related activities were included under the “Identify” function. By placing these activities under a new, cross-cutting Govern function in version 2.0, NIST elevates the importance of aligning Cybersecurity Risk with Enterprise Risk. The Govern function includes action categories for establishing and monitoring cyber risk strategy, expectations, and policy. The strategy direction set under it will inform the implementation of the five other functions.
Supply Chain Risk Management
Another significant change in the new version is the inclusion of Supply Chain Risk Management in the Govern function. Supply Chain Risk, too, was part of the Identify function in version 1.1. Since its initial inclusion in the CSF, new guidance related to Supply Chain Risk has been published by various cybersecurity agencies, and there has been a greater emphasis on tackling third-party threats. Cybersecurity Supply Chain Risk Management is now the third category in the Govern function, and includes ten subcategories.
NIST CSF 2.0 Govern function categories:
There are six main categories under the Govern function: Organizational Context; Risk Management Strategy; Cybersecurity Supply Chain Risk Management; Roles, Responsibilities, and Authorities; Policies, Processes, and Procedures; Oversight. Here’s a brief description of each:
- Organizational Context – Organizational Context includes activities geared towards understanding the organization’s mission, internal and external stakeholders’ expectations regarding cybersecurity; legal and regulatory requirements; and the organization’s overall objectives, capabilities and services.
- Risk Management Strategy – Risk Management Strategy includes establishing and communicating the organization’s risk management objectives, risk tolerance and risk appetite. Organizations must ensure that cybersecurity risk management activities are included in enterprise risk management and that there are clear lines of communication for cybersecurity and supply chain risk. They must also establish “a standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks.”
- Cybersecurity Supply Chain Risk Management – In NIST CSF 1.1, Supply Chain Risk Management was part of the Identify function of the CSF Core. In version 2.0, it is listed under the Govern function. It includes establishing, managing, monitoring and improving supply chain risk management processes. Supply chain risk must be integrated into cybersecurity and enterprise risk, and the performance of the supply chain risk management program must be monitored throughout the technology product and service life cycle. All suppliers should be prioritized by criticality, and the risk posed by each should be identified and managed (including incident response planning) throughout the course of the relationship.
- Roles, Responsibilities, and Authorities – Cybersecurity roles and responsibilities should be established and clearly communicated, and organizational leadership must be “responsible and accountable for cybersecurity risk.” This category also emphasizes fostering a risk aware culture and ensuring that adequate resources are set aside to tackle cyber risk.
- Policies, Processes, and Procedures – This includes action items for establishing, communicating and enforcing cybersecurity policies, processes and procedures based on organizational context, cyber risk reduction planning and priorities. Policies and procedures must also be updated as and when cyber threats, technology or organizational priorities change.
- Oversight – Periodic reviews and performance assessments of cybersecurity risk management initiatives must be used to “inform and adjust” strategic direction.
Review the initial public draft (August 2023) of NIST CSF 2.0 here