Legal Alert
New Draft Version of Cybersecurity Framework (CSF) Stresses Senior Management's Role in Keeping Organizations Safe
August 21, 2023
The National Institute of Science and Technology (NIST) has released a new draft version of the Cybersecurity Framework, which helps industry, government agencies, and other organizations reduce their cybersecurity risks.
While the guidance was previously intended for the federal government, it is now understood as being applicable to pretty much all companies, from the biggest to the smallest. Organizations should pay attention if they want to be able to signal to their stakeholders—customers, investors, supply chain members, and regulators—that they are taking their cybersecurity practices seriously.
What Companies Need to Know
One of the key takeaways is that, in Version 2.0 of the Cybersecurity Framework (CSF) NIST is highlighting for the first time the role of senior management in maintaining a healthy cybersecurity environment.
The previous version, 1.1, consisted of five core areas or “pillars” that address the administrative and technical qualities of an effective cybersecurity regime: Identify, Protect, Detect, Respond, and Recover. The CSF 2.0 introduces a sixth area: Govern. This pillar can open the door to inquiry into senior management’s role leading up to and handling a cybersecurity breach, and as such may influence how regulators and litigants approach the question of a defendant’s cybersecurity practices in the event of a breach.
In fact, Version 2.0 says, in GV.RR-01, “Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving.”
Bottom line: This change in NIST’s view will, in turn, inform courts, regulators, and litigants that senior management’s involvement in maintaining organizational cybersecurity is essential. We can expect to see CSF 2.0 used—in regulation and litigation—as a checklist for identifying what is missing.
We recommend that businesses use the same checklist function proactively to ensure that every cybersecurity function is appropriately covered.
When Does CSF Version 2 Take Effect?
NIST is seeking public comment on the CSF Version 2.0 until Nov. 4, 2023. The final version of the CSF is expected in early 2024.
We Can Help
Maslon can assist you with using the CSF, versions 1.1 and 2.0 (once it is released), to better protect your company from cyber threats.