Cybersecurity's successful execution relies heavily on governance, as declared by NIST
The National Institute of Standards and Technology (NIST) has released an updated version of its Cybersecurity Framework (CSF) 2.0, which places a new emphasis on the supply chain and governance. This strategic evolution aims to embed cybersecurity governance as a fundamental organizational capability, spanning technology, risk, privacy, and business strategy.
The updated CSF introduces a new core function, "Govern" (GV), with six components that guide organizations to embed governance practices in cybersecurity. This approach encourages viewing cybersecurity not just as a technical issue but as a strategic business imperative, including addressing positive risks or opportunities such as leveraging AI for growth.
The "Govern" function is designed to help organizations measure the outcomes of the other five functions (Identify, Protect, Detect, Respond, Recover). It covers organizational context, policy, oversight, and supply chain risk management, reflecting the increasing importance of these areas in the evolving cybersecurity landscape.
The broader scope and adaptability of the updated framework allow it to address emerging technologies and new threat environments, aligning with NIST’s broader Cybersecurity, Privacy, and AI initiatives. This adaptability demonstrates the framework's awareness of evolving threat vectors and the need to incorporate these complexities systematically into governance and operational functions.
Compliance and regulatory controls are significant for organizations in 2024. The update to the CSF was initiated last year, and it is being adopted to replace legacy tools like FFIEC’s Cybersecurity Assessment Tool in sectors such as banking. Regulators and sector-risk management agencies are addressing risk management for their respective industries, with the Securities and Exchange Commission requiring companies to report cybersecurity risk management, strategy, and governance in annual filings.
The White House's national cybersecurity strategy complements NIST's CSF 2.0. The framework's adaptability to AI risks, privacy, and emerging technologies responds to the demand for transparency, accountability, and comprehensive risk management across complex organizational and supply chain ecosystems.
Quick-start guides have been provided for specific audiences and user types in the NIST CSF 2.0 release. Ken Dunham, cyber threat director at Qualys, stated that every organization has the responsibility to cover and adhere to multiple forms of compliance and frameworks. NIST Director Laurie Locascio stated that governance represents a big change and something NIST and stakeholders across industry weren't ready to incorporate 10 years ago.
The boardroom becomes more important as server rooms are no longer on-premises. The CSF is intended to be used from the server room to the boardroom, advocating for structured risk management strategies and clear delineation of responsibilities. The new reference mapping tool links the NIST CSF 2.0 to other cybersecurity recommendations, ensuring organizations can easily overlay the framework with other frameworks specific to other controls and verticals.
In sum, the updated NIST CSF 2.0 is a strategic evolution designed to embed cybersecurity governance as a fundamental organizational capability that spans technology, risk, privacy, and business strategy—addressing the modern challenges posed by AI, complex supply chains, and regulatory environments.
- The "Govern" function within the NIST Cybersecurity Framework (CSF) 2.0 encourages organizations to view cybersecurity as a strategic business imperative, encompassing organizational context, policy, oversight, and supply chain risk management.
- Regulators and agencies are focusing on risk management, requiring companies to report cybersecurity risk management, strategy, and governance in annual filings, such as the Securities and Exchange Commission.
- With the increase in importance of the boardroom, the updated NIST CSF 2.0 is designed to be used from the server room to the boardroom, advocating for structured risk management strategies and clear delineation of responsibilities.
