On February 26, 2024, the National Institute of Standards and Technology (NIST) released the NIST Cybersecurity Framework 2.0 (CSF 2.0). CSF 2.0 represents the first major update to the Cybersecurity Framework, which was first released in February 2014. CSF 2.0 provides an increased focus on entities’ governance functions and broadens the CSF’s scope. For companies subject to state and federal standards demanding “reasonable security,” CSF 2.0 is particularly important because it could very well become the de facto standard of care under various cybersecurity and data privacy laws.
Focus on Governance
CSF 2.0 builds on the five high-level functions from CSF 1.0 (Identify, Protect, Detect, Respond, and Recover) by introducing a new core function—Govern. This function focuses on ensuring that an organization’s cybersecurity risk management strategy, expectations, and policies are established, communicated, and monitored. In particular, this new core function emphasizes that an organization’s cybersecurity framework must be (i) based on the organization’s individual circumstances, goals, and risk appetite; (ii) well established and communicated within the organization to ensure compliance and continuity; and (iii) continually reviewed and improved.
Notably, the new Govern core function includes a recognition of risks stemming from the complicated and interconnected supply chain ecosystem. The framework for these risks includes having a separate supply chain risk management system, understanding the additional risks that suppliers pose, and including suppliers and other third parties in an organization’s risk incident planning, response, and recovery activities.
Increased Scope
Although CSF has been widely used by organizations since its inception, the initial aim of CSF was to be a tool for organizations involved in critical infrastructure. CSF 2.0 is designed “to help organizations of all sizes and sectors.” NIST also continues to stress that a one-size-fits-all approach is not possible and all organizations need to develop a risk management framework that fits their needs.
Additional Resources
To accompany CSF 2.0, NIST announced a set of external resources to help organizations develop and refine their cybersecurity programs. These resources include:
- Quick Start Guides (QSGs)—a set of guides, tailored to specific audiences, that contain actionable steps for organizations to take to improve their cybersecurity risk management procedures.
- Implementation Examples—sample suggestions of concise and action-oriented steps for organizations to take to implement CSF 2.0’s core function subcategories.
- Informative References—mappings that indicate relationships between CSF 2.0 and other standards, guidelines, and regulations.
By utilizing these resources, an organization can kick-start its cybersecurity programs and start developing a comprehensive risk management strategy.
Impact on Compliance with Other Regulations
Since the issuance of the original CSF in 2014, numerous other cybersecurity and data privacy laws and regulations have looked to CSF as an example of how organizations should implement their cybersecurity and privacy policies and procedures. For example, the New York Department of Financial Services’ Cybersecurity Regulations (23 NYCRR Part 500) recognize compliance with CSF as a mitigating factor in determining penalties for regulatory violations. However, a comparison of the governance requirements between the NYDFS Cybersecurity Regulations and CSF 2.0 shows that CSF 2.0 provides more stringent guidance than the Cybersecurity Regulations require. For instance, the Cybersecurity Regulations’ governance requirements focus on internal reporting by the Chief Information Security Officer to the senior officers and oversight of the organization’s cyber security risk management. CSF 2.0, under its new Govern core, still focuses on reporting and oversight but also includes additional elements related to communication with the entire organization, continual adjustments to the risk management framework, structure of organizational leadership, and the involvement of third parties connected with the company. Thus, CSF 2.0 shows a heightened recognition of what an organization’s governance committee must be aware of and do to ensure continued protection beyond what is implemented by the Cybersecurity Regulations and similar laws.
As more states enact and amend their cybersecurity regulations, it is likely that CSF 2.0 will continue to function as a guide or measuring stick for proper cybersecurity risk management. This will mirror similar approaches taken in other developing fields, such as artificial intelligence regulations. The National Association of Insurance Commissioners’ AI Model Bulletin (adopted December 2023) recognized the NIST Artificial Intelligence Framework as an alternative that can be used in place of and supplemented by the AI Model Bulletin. We expect that other governmental and self-regulatory bodies will take a similar approach of citing CSF 2.0 as a standard by which organizations should judge themselves.
Failure to meet the CSF 2.0 standards could also have implications for defendants in private lawsuits. For example, state laws requiring companies to maintain “reasonable security” procedures and practices have faced class action claims alleging that failure to follow the CSF constitutes a failure to comply with the law. See, e.g., Griffey v. Magellan Health, Inc., No. CV-20-01282-PHX-MTL (D. Ariz.) (alleging that defendant’s failure to follow CSF violated the California Consumer Privacy Act). Similarly, companies have been required to adhere to CSF as part of class action settlement agreements stemming from data breaches. See, e.g., In re Yahoo! Inc. Customer Data Security Breach Litig., No. 16-MD-02752-LHK (N.D. Cal. 2020) (noting that “Yahoo has pledged to align its information security program with the NIST Cybersecurity Framework”). Therefore, even where CSF is not mandated by law, courts will no doubt assess companies’ security practices against CSF as the standard.
CSF 2.0’s expanded scope and focus on governance further cements it as a guiding force in the everchanging development of cybersecurity frameworks. Moreover, organizations implementing the framework are likely setting themselves on the right track for compliance with forthcoming state laws and regulations.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.