New Guidance for Managing Cybersecurity Risks with NIST CSF 2.0

For the first time since its release more than a decade ago, the National Institute of Standards and Technology (NIST) has made significant enhancements to its widely used Cybersecurity Framework (CSF), unveiling new guidance to aid institutions in managing their cybersecurity risks. NIST’s CSF 2.0 offers high-level outcomes relevant to all financial institutions regardless of size, complexity, or risk appetite, which establish a solid foundation for maintaining and ensuring cyber risk readiness.

NIST received and considered feedback from its community for more than a year before releasing CSF 2.0 and has updated the official title of its framework – now known as “The Cybersecurity Framework” – to reflect the expansion beyond the original protections of “critical infrastructure.” The goal of NIST’s cybersecurity framework is to help institutions manage and reduce risk and expand its reach beyond the industries that were deemed “critical” (e.g.: energy, financial institutions, healthcare, and public utilities) when it was originally released in 2014. The CSF 2.0 offers a broad catalog of references that your cybersecurity team can use to gather guidance data to implement the new framework, regardless of your asset size or sophistication level.

What’s New in NIST CSF 2.0?

Perhaps the most notable enhancement is the expansion of the 5 core functions of cybersecurity frameworks. In addition to the existing areas – Identify, Protect, Detect, Respond, and Recover – NIST has introduced Govern in their 2.0 guidance: “The Govern function provides outcomes to inform what institutions should do to achieve and prioritize the outcomes of the other five functions, as well as establishes that your institution’s cybersecurity risk management strategy, expectations, and policy are defined, communicated, and monitored. Governance activities are critical for incorporating cybersecurity into the institution’s broader Enterprise Risk Management (ERM) strategy.

Many institutions still use the FFIEC CAT/ACET as a “framework” despite the fact it has not been updated in some time because it includes things like risk management and oversight that are specific to, and essential to, financial institutions. Since the future of the CAT’s relevance remains unclear, and the obvious shift we’ve seen from examiners is away from the CAT to industry frameworks, the CSF 2.0 becomes the most attractive option for replacement For institutions that have matured past the FFIEC CAT already, the new version of the CSF offers banking specific themes of the FFIEC CAT/ACET they may have been missing. If you don’t fit into either of those buckets and you’ve never used a framework to guide your program – the CSF 2.0 also serves as a great starting point with its tiered maturity approach towards implementation and clear implementation examples.

The Govern function includes six sections:

• • Organizational Context
    • Outcomes related to strategic planning, stakeholders, regulatory requirements, resilience, and external dependencies and how those relate to the institution’s cyber risk management decisions.
  • Risk Management Strategy
    • Outcomes related to using risk management strategies and objectives, a risk appetite statement, defined tolerances, cross-departmental communication, and risk measurement to support risk decisions and align cyber risk management with enterprise risk management.
  • Roles, Responsibilities, and Authorities
    • Outcomes related to creating a security culture that fosters accountability, allocates appropriate resources, and lends to continuous improvement.
  • Policy
    • Outcomes related to the importance of establishing policy as well as communicating and enforcing policy enterprise wide.
  • Oversight
    • Outcomes related to using metrics and program performance to improve and adjust the risk management strategy.
  • Cybersecurity Supply Chain Risk Management
    • Outcomes related to third party risk management and supply chain risk management.

These sections serve as an outline for solid risk governance to which financial institutions are accustomed. The main themes focus on alignment with organization objectives, key metric monitoring, continuous improvement, and building and maintaining a healthy culture and accountability structures. For financial institutions, this is how risk is managed enterprise wide. However, many have struggled to implement the same caliber risk management techniques in cybersecurity they’ve implemented elsewhere because widely accepted industry frameworks omit the components covered in the Govern function. Now, CISOs at financial institutions have the best of both worlds with the CSF 2.0 – effective risk governance + best practices for mitigating cybersecurity risks. What’s even more comforting is that CISOs in industries outside of banking that may not have a solid understanding of effective risk management now have guidance on how to implement risk governance in their own businesses. As consumers with data all over the place, that should make us all feel a little safer.

The release of CSF 2.0 and the inclusion of the Govern function reinforces the importance of risk management and accountability in cybersecurity efforts. DefenseStorm’s GRID Active has NIST CSF 2.0 integrated as a framework with mappings to activities within Threat Surveillance, Governance Program, and Risk Assessment, all customizable to the unique needs of your institution. This further builds on our built for banking philosophy and ensures that your institution is cyber risk ready in the battle against emerging and existing threats in an evolving landscape.

Find out more about Frameworks in our GRID Active Governance Program here.

Source: National Institute of Standards and Technology (2024) The NIST Cybersecurity Framework (CSF) 2.0. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Cybersecurity White Paper (CSWP) NIST CSWP 29. https://doi.org/10.6028/NIST.CSWP.29