It’s a good news day for cybersecurity, something nearly as rare as a Leap Year, it’s National Institute of Standards and Technology Cybersecurity Framework Version 2.0 Release Day! Given the wide adoption of the framework domestically, some within the Center for Cybersecurity Policy and Law, present company included, would equate this the Cyber Superbowl. When you consider the international appeal and adoption of the framework it’s like the World Cup of Cyber.

Version 1.0 was adapted or adopted by a diverse group of countries including Italy, Poland, Israel, Japan, Uruguay, Niger and Australia, among others. Given NIST’s efforts to engage internationally during the development of 2.0, and intent to support international adoption post-release, adoption should only increase with the new edition.

In terms of the play-by-play of the new release, the Cybersecurity Framework retains its basic structure with outcome-based Functions, Categories, and Subcategories. A new “player” to the functions, appears in Version 2.0, called Govern. This is not a new concept in the framework which previously appeared as a Subcategory, rather it elevates the importance of governance to a robust cybersecurity risk management program.

This change also tracks with Govern as a Function the Privacy Framework and the AI Risk Management Framework. There have been several movements, consolidations, clarifications, and edits to the Core itself with a renewed emphasis on Supply Chain Risk Management which has been elevated to a Category with supporting Subcategories.

Some information was also moved, where informative references that has been previously sprinkled in the framework itself were placed as a separate column, which will be stored within NIST’s Cybersecurity and Privacy Reference Tool. Stakeholders will need to avail themselves of new tools and resources to find these helpful mappings to the framework that are critical for organizations dealing with a variety of different standards and guidelines.

This is going to be an adjustment for those that are accustomed to seeing the references directly in line with the Core. NIST’s rationale for this movement is to keep the references fresh without having to rely on an update cycle which can take several years. Other changes to look out for include clarifications on the concept of Tiers and the inclusion of “implementation examples” to help stakeholders envision what “things” they might do to address a particular outcome. It’s likely that changes to the Cybersecurity Framework will impact other frameworks including NIST’s announcement of an update to the Privacy Framework which will consider these updates.

One area to continue to watch is how will all these NIST frameworks and related cybersecurity and privacy guidance come together? After all, how many frameworks does it take to manage risk? What happens when you have a cybersecurity application that collects personal data and leverages AI? Which framework do I use? What does it look like to use these things together? This is an area the Center will be continuously monitoring and engaging with NIST- more to come in future blogs!  

Last, I leave you with an homage to the NIST Cybersecurity Framework Version 2.0 by Chat GPT, with a healthy dose of human intervention, of course, for editorial!  

Six Functions Intertwined

“In the realm of bytes and codes embrace, NIST’s framework unfolds with grace.

Govern stands tall, a sentinel’s might, guiding the path through the digital night.

Identify, the first step in the dance, unveiling risks with a vigilant glance.

Protect, a fortress built strong, guarding the data where shadows belong.

Detect’s eye keen, a watchful gaze. Noting intrusions in cryptic arrays.

Respond swiftly to the cyber call. A digital waltz, a dance for all.

Recover, a resilient song, from breaches and storms, emerging strong.

Six functions intertwined, a cybersecurity art, guardians of data playing their part. “

Happy implementing!

Jamie Danker

Read Next

CISA Proposes Sweeping Cyber Incident Reporting for U.S. Companies

The federal government is one step closer to requiring approximately 315,000 businesses to report cyber incidents and ransomware payments. 

Event Recap: Spring Into Privacy with the NIST Privacy Engineering Program

The NIST Privacy Framework is getting a little "Spring Cleaning." Officials from NIST's Privacy Engineering Program updated participants on updated to the Privacy Framework and other projects at an event last week.

Multiple Organizations Request 30-day Extension on CIRCIA Comments

The Cybersecurity Coalition, U.S. Chamber of Commerce, and 23 other organizations have requested a 30-day extension to the comment period for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) from CISA.