Avi Gesser, and Erez Liebermann are Partners and Michael R. Roberts is a Senior Associate at Debevoise & Plimpton LLP. This post is based on a Debevoise & Plimpton memorandum by Mr. Gesser, Mr. Liebermann, Mr. Roberts, HJ Brehmer, Corey Goldstein, and Stephanie Thomas.
Risk assessments are a critical component of a robust cybersecurity program. To benchmark their risk assessments and cybersecurity maturity reviews, companies often look to recognized industry standards such as the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF” or “the Framework”). In this Debevoise Data Blog post, we discuss proposed changes to the Framework and offer takeaways for companies that use the Framework for cybersecurity risk assessments.
The Concept Paper
Last updated in 2018, The Framework outlines best practices for reducing cybersecurity risks and has become the standard for assessing cybersecurity maturity for organizations of all sizes. While adherence to the CSF is voluntary for most organizations, regulators, insurers and policymakers have looked to the Framework as one of the ways to assess whether an organization has implemented reasonable security.
In January 2023, NIST released a Concept Paper that details the more significant changes that NIST is considering in drafting the update to the Framework CSF 2.0. The proposed changes to the Framework are based on feedback that NIST received from industry and other stakeholders over a lengthy period, including through its Cybersecurity RFI that involved 134 responses and its Workshop on the CSF 2.0 that was attended by more than 4,000 participants from over 100 countries. The Concept Paper seeks comment on those proposed changes, as well as the existing Framework in general. Comments must be submitted by March 3, 2023 at [email protected]. After reviewing feedback on this Concept Paper and considering insights gained through the workshops, NIST intends to publish its draft CSF 2.0 in the coming months for a 90-day public review.
Proposed Changes to the CSF
The most significant proposed changes to the Framework in the Concept Paper include the following:
- Expanded Coverage. The title will likely be changed from “Framework for Improving Critical Infrastructure Cybersecurity” to “Cybersecurity Framework,” signaling the CSF’s expansion from addressing the cybersecurity risks of critical infrastructure to being widely applicable to organizations across government, industry and academia, regardless of size, sector or jurisdiction.
- Focus on Governance. Perhaps the most significant proposed change to the Framework is the introduction of a “Govern” function, which emphasizes that cybersecurity governance is critical to managing and reducing cybersecurity risk. The current part of the Framework that covers governance would be moved into the new Govern function. Under the proposed changes, cybersecurity governance may include the following:
- determination of priorities and risk tolerances of the organization, customers and society;
- assessment of cybersecurity risks and impacts;
- establishment of cybersecurity policies and procedures; and
- understanding of cybersecurity roles and responsibilities.
According to NIST, these activities are critical to detecting, responding to and recovering from cybersecurity risks across the organization, as well as in overseeing others who carry out cybersecurity activities for the organization. Elevating governance to a CSF function would also promote alignment of cybersecurity activities with enterprise risks and legal requirements. A crosscutting Govern function is also consistent with the Govern function in NIST’s draft AI Risk Management Framework and the Privacy Framework.
- Enhanced Guidance on Supply Chain Risks. NIST Cybersecurity RFI respondents agreed that supply chains and third parties are a top cybersecurity risk. The CSF 2.0 will make clear the importance of organizations identifying, assessing and managing these risks, which may involve distinct assessment and oversight that is often handled by stakeholders separate from the internal cybersecurity team. NIST believes that the CSF 2.0 should include additional cybersecurity supply chain risk management (“C-SCRM”) outcomes to help organizations address these distinct risks and invites feedback on several proposals for integrating C-SCRM into other aspects of the Framework.
Key Takeaways
- More Accessible: With the new Govern function and increased focus on third parties, the NIST CSF 2.0 is a great resource for all departments. The new modules make the Framework more accessible, and helpful, to other business functions and to leadership. These proposed changes come at a fortuitous time given that proposed amendments to the NYDFS Cybersecurity Regulation Part 500, CISA performance goals and SEC’s proposed rules for registered investment advisers all have substantial cybersecurity governance requirements.
- Legal and Compliance’s Role: The CSF 2.0 (even more than 1.0) identifies a greater role for legal and compliance in managing cybersecurity risk. With the addition of the new module and third party focus, legal and compliance teams should consider mapping the CSF 2.0 to applicable regulations. For those in the financial services field, the Cyber Risk Institute has already done this work for you by previously adding such modules. Companies can, for example, evaluate “The Profile” developed by the Cyber Risk Institute, which maps regulations to an expanded NIST Framework. Working through the mapping exercise will bring legal, compliance and information security teams together and allow them to collaborate under the updated Framework.
- Risk Assessments: The SEC’s proposed rules for public companies may result in greater risk management of the Cybersecurity function by senior management and the board of directors by requiring companies to make public disclosures about those aspects of cybersecurity governance. The proposed amendments to the NYDFS cybersecurity rule do the same. With the new modules, the NIST CSF 2.0 will present a very useful Framework for conducting a risk assessment. Whether performed internally, or by engaging external vendors that can help with expertise and benchmarking, the results of the risk assessment can lay out the foundation for a board of directors’ presentation and a strategy for cybersecurity maturity.