Avi Gesser, and Erez Liebermann are Partners and Michael R. Roberts is a Senior Associate at Debevoise & Plimpton LLP. This post is based on a Debevoise & Plimpton memorandum by Mr. Gesser, Mr. Liebermann, Mr. Roberts, HJ Brehmer, Corey Goldstein, and Stephanie Thomas.
Risk assessments are a critical component of a robust cybersecurity program. To benchmark their risk assessments and cybersecurity maturity reviews, companies often look to recognized industry standards such as the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF” or “the Framework”). In this Debevoise Data Blog post, we discuss proposed changes to the Framework and offer takeaways for companies that use the Framework for cybersecurity risk assessments.
The Concept Paper
Last updated in 2018, The Framework outlines best practices for reducing cybersecurity risks and has become the standard for assessing cybersecurity maturity for organizations of all sizes. While adherence to the CSF is voluntary for most organizations, regulators, insurers and policymakers have looked to the Framework as one of the ways to assess whether an organization has implemented reasonable security.
In January 2023, NIST released a Concept Paper that details the more significant changes that NIST is considering in drafting the update to the Framework CSF 2.0. The proposed changes to the Framework are based on feedback that NIST received from industry and other stakeholders over a lengthy period, including through its Cybersecurity RFI that involved 134 responses and its Workshop on the CSF 2.0 that was attended by more than 4,000 participants from over 100 countries. The Concept Paper seeks comment on those proposed changes, as well as the existing Framework in general. Comments must be submitted by March 3, 2023 at [email protected]. After reviewing feedback on this Concept Paper and considering insights gained through the workshops, NIST intends to publish its draft CSF 2.0 in the coming months for a 90-day public review.