The National Institute of Standards and Technology released an updated version of its Cybersecurity Framework, CSF 2.0. earlier this week. The CSF, initially launched in 2014, is a tool developed by NIST to help private sector entities assess, remediate, and manage cyber risks throughout their organizations. The original CSF was broken into five functions, comprising the cybersecurity risk life cycle: Identify, Protect, Detect, Respond, and Recover. Each function was comprised of numerous sub-functions tied to both categories and NIST 800-53 Security controls, that enabled organizations to assess aspects of their cybersecurity programs.

Initially meant for critical infrastructure organizations, the CSF has become a globally respected standard and is now used by many types of private sector entities to help them manage their cybersecurity risks, and CSF 2.0 expressly expands the scope of the framework beyond critical infrastructure. Additionally, the Federal Information Management Security Act (FISMA) requires government agencies to comply with NIST 800-53 controls, and as a result, government contractors have used the CSF as a starting point to assess their own security programs when processing Federal agency/department personal data. Entities are allowed to take the CSF and customize it for their own needs to oversee their cybersecurity programs, assess strengths, and remediate gaps.

Some of the changes in the updated CSF include:

• The addition of a sixth function. The "Govern" function focuses on management of cybersecurity risks, and assessing organizations on the people, policies, and oversight that help entities manage their cybersecurity office and program.
• The development of a new reference tool that will allow users to export functions and controls for their own needs into readable formats, enabling entities to better customize assessments.
• The expansion of references and guidance within the functions, providing technical details and steps for organizations take in assessing and implementing aspects of the CSF.

Our attorneys regularly support companies in meeting the requirements of cybersecurity and data privacy laws, regulations, and frameworks, and the implementation of governance programs. If you have any questions please do not hesitate to contact any member of our team.