United States: NIST Extends Its Cybersecurity Framework To Cover Evolving Threats And Governance

On February 26, 2024, NIST released its updated Cybersecurity Framework 2.0 ("CSF 2.0"), which is the first major update to the original 2014 framework. This development has significant legal ramifications as entities have increasingly turned to the NIST framework to design and implement cybersecurity programs and measure their effectiveness. While the original framework was intended for critical infrastructure organizations, CSF 2.0 focuses on a range of organizations of all sizes, sectors, and cybersecurity maturity, and presents an evolution of best practices and methodologies adapted to address new and evolving issues in cybersecurity management. While CSF 2.0 preserves the original components, it extends its reach to include guidelines on cyber governance and risk management, artificial intelligence, supply chain and third party risk management, zero-trust architecture, and IoT security.

The key major change is the introduction of cybersecurity governance and risk management as a central function of the framework. Accordingly, CSF 2.0 adds Govern to the original five key functions: Identify, Protect, Detect, Respond, and Recover. The Govern Function focuses on cybersecurity risk management and oversight by assigning roles, responsibilities, and authorities to align an organization's cybersecurity risk posture with existing enterprise risk management. This new emphasis on governance coincides with instances in which federal regulators have held executive leadership accountable for cybersecurity failures. The updated framework also includes a new reference tool, tailored quick-start guides, and implementation examples.

The CSF 2.0's focus on cybersecurity risk management comes on the heels of new cybersecurity risk management and disclosure obligations imposed by the Securities and Exchange Commission on public companies. Further, government agencies are increasingly implementing requirements in contracts and subcontracts that point to NIST guidance for safeguarding sensitive information, including the recently published Department of Defense rule laying out the Cybersecurity Maturity Model Certification (CMMC) 2.0. As an additional example of the relevance of this framework, the Federal Trade Commission ("FTC") has pointed to NIST's cybersecurity framework as consistent with the process-based approach that the FTC has expected entities to follow in implementing cybersecurity programs.

As regulators implement CSF 2.0 as a baseline for their varying cybersecurity enforcement approaches, organizations should proactively assess their cybersecurity governance and risk management programs to help reduce the risk of litigation and enforcement action.