It’s a good news day for cybersecurity, something nearly as rare as a Leap Year, it’s National Institute of Standards and Technology Cybersecurity Framework Version 2.0 Release Day! Given the wide adoption of the framework domestically, some within the Center for Cybersecurity Policy and Law, present company included, would equate this the Cyber Superbowl. When you consider the international appeal and adoption of the framework it’s like the World Cup of Cyber.

Version 1.0 was adapted or adopted by a diverse group of countries including Italy, Poland, Israel, Japan, Uruguay, Niger and Australia, among others. Given NIST’s efforts to engage internationally during the development of 2.0, and intent to support international adoption post-release, adoption should only increase with the new edition.

In terms of the play-by-play of the new release, the Cybersecurity Framework retains its basic structure with outcome-based Functions, Categories, and Subcategories. A new “player” to the functions, appears in Version 2.0, called Govern. This is not a new concept in the framework which previously appeared as a Subcategory, rather it elevates the importance of governance to a robust cybersecurity risk management program.

This change also tracks with Govern as a Function the Privacy Framework and the AI Risk Management Framework. There have been several movements, consolidations, clarifications, and edits to the Core itself with a renewed emphasis on Supply Chain Risk Management which has been elevated to a Category with supporting Subcategories.

Some information was also moved, where informative references that has been previously sprinkled in the framework itself were placed as a separate column, which will be stored within NIST’s Cybersecurity and Privacy Reference Tool. Stakeholders will need to avail themselves of new tools and resources to find these helpful mappings to the framework that are critical for organizations dealing with a variety of different standards and guidelines.

This is going to be an adjustment for those that are accustomed to seeing the references directly in line with the Core. NIST’s rationale for this movement is to keep the references fresh without having to rely on an update cycle which can take several years. Other changes to look out for include clarifications on the concept of Tiers and the inclusion of “implementation examples” to help stakeholders envision what “things” they might do to address a particular outcome. It’s likely that changes to the Cybersecurity Framework will impact other frameworks including NIST’s announcement of an update to the Privacy Framework which will consider these updates.

One area to continue to watch is how will all these NIST frameworks and related cybersecurity and privacy guidance come together? After all, how many frameworks does it take to manage risk? What happens when you have a cybersecurity application that collects personal data and leverages AI? Which framework do I use? What does it look like to use these things together? This is an area the Center will be continuously monitoring and engaging with NIST- more to come in future blogs!  

Last, I leave you with an homage to the NIST Cybersecurity Framework Version 2.0 by Chat GPT, with a healthy dose of human intervention, of course, for editorial!  

Six Functions Intertwined

“In the realm of bytes and codes embrace, NIST’s framework unfolds with grace.

Govern stands tall, a sentinel’s might, guiding the path through the digital night.

Identify, the first step in the dance, unveiling risks with a vigilant glance.

Protect, a fortress built strong, guarding the data where shadows belong.

Detect’s eye keen, a watchful gaze. Noting intrusions in cryptic arrays.

Respond swiftly to the cyber call. A digital waltz, a dance for all.

Recover, a resilient song, from breaches and storms, emerging strong.

Six functions intertwined, a cybersecurity art, guardians of data playing their part. “

Happy implementing!