Skip to Main Content

Legal Alert

New Draft Version of Cybersecurity Framework (CSF) Stresses Senior Management's Role in Keeping Organizations Safe

August 21, 2023

The National Institute of Science and Technology (NIST) has released a new draft version of the Cybersecurity Framework, which helps industry, government agencies, and other organizations reduce their cybersecurity risks.

While the guidance was previously intended for the federal government, it is now understood as being applicable to pretty much all companies, from the biggest to the smallest. Organizations should pay attention if they want to be able to signal to their stakeholders—customers, investors, supply chain members, and regulators—that they are taking their cybersecurity practices seriously.

What Companies Need to Know

One of the key takeaways is that, in Version 2.0 of the Cybersecurity Framework (CSF) NIST is highlighting for the first time the role of senior management in maintaining a healthy cybersecurity environment.

The previous version, 1.1, consisted of five core areas or “pillars” that address the administrative and technical qualities of an effective cybersecurity regime: Identify, Protect, Detect, Respond, and Recover. The CSF 2.0 introduces a sixth area: Govern. This pillar can open the door to inquiry into senior management’s role leading up to and handling a cybersecurity breach, and as such may influence how regulators and litigants approach the question of a defendant’s cybersecurity practices in the event of a breach.

In fact, Version 2.0 says, in GV.RR-01, “Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving.”

Bottom line: This change in NIST’s view will, in turn, inform courts, regulators, and litigants that senior management’s involvement in maintaining organizational cybersecurity is essential. We can expect to see CSF 2.0 used—in regulation and litigation—as a checklist for identifying what is missing.

We recommend that businesses use the same checklist function proactively to ensure that every cybersecurity function is appropriately covered.

When Does CSF Version 2 Take Effect?

NIST is seeking public comment on the CSF Version 2.0 until Nov. 4, 2023. The final version of the CSF is expected in early 2024.

We Can Help

Maslon can assist you with using the CSF, versions 1.1 and 2.0 (once it is released), to better protect your company from cyber threats.

DISCLAIMER

Thank you for your interest in contacting us by email.

Please do not submit any confidential information to Maslon via email on this website. By communicating with us we are not establishing an attorney-client relationship, and information you submit will not be protected by the attorney-client privilege and cannot be treated as confidential. A client relationship will not be formed until we have entered into a formal agreement. You should also be aware that we may currently represent parties whose interests may be adverse to yours, and we reserve the right to continue to represent them notwithstanding any communication we receive from you.

If you would like to discuss possible representation, please call one of our attorneys directly or use our general line (p 612.672.8200). We can then fully discuss our intake procedures and, if appropriate, introduce you to an attorney suited to assist with your matter. Alternatively, you may send us an email containing a general inquiry subject to these terms.

If you accept the terms of this notice and would like to send an email, click on the "Accept" button below. Otherwise, please click "Decline."

MEDIA INQUIRIES

We welcome the opportunity to assist you with your media inquiry. To ensure we do so properly and promptly, please feel free to contact our representative below directly by phone or via the email option provided. We look forward to hearing from you.

Emily Gurnon, Marketing Communications Manager | Office: 612.672.8251 | Mobile: 651.785.3616

EMAIL DISCLAIMER

This email is intended for use by members of the media only.

Please do not submit any confidential information to Maslon via email on this website. By communicating with us we are not establishing an attorney-client relationship, and information you submit will not be protected by the attorney-client privilege and cannot be treated as confidential. A client relationship will not be formed until we have entered into a formal agreement. You should also be aware that we may currently represent parties whose interests may be adverse to yours, and we reserve the right to continue to represent them notwithstanding any communication we receive from you.

If you would like to discuss possible representation, please call one of our attorneys directly or use our general line (p 612.672.8200). We can then fully discuss our intake procedures and, if appropriate, introduce you to an attorney suited to assist with your matter. Alternatively, you may send an email containing a general inquiry subject to these terms.

If you are a member of the media, accept the terms of this notice, and would like to send an email, click on the "Accept" button below. Otherwise, please click "Decline."