In the absence of federal cybersecurity and data privacy laws, companies have to look to other sources of guidance, including industry standards, and state laws. The National Institute of Standards and Technology (“NIST”) has sought to fill some of the large gaps on the issue of cybersecurity. Enforcement agencies often cite the NIST Framework as an important barometer of an organization’s commitment to cybersecurity risks and mitigation.
Recently, on February 26, 2024, the NIST released a new 2.0 Cybersecurity Framework for assessing cybersecurity maturity and managing cybersecurity risk. This is the first revision since the original Framework was released in 2014. The new 2.0 version includes specific governance requirements for cybersecurity risk management. In fact, the Framework added a new governance element, so that there are now six key functions: Identify, Protect, Detect, Respond, Recover and Govern. The Framework is a voluntary risk management framework, and regulators and policymakers have used this Framework to assess an organization’s security measures.
The new Govern element underscores the need for organizations to incorporate cybersecurity risks into its overall risk management strategies. To this end, the NIST Framework requires the organization’s strategy, expectation and policy are established, communicated and monitored. In addition, the Govern element addresses: (i) an organizational context; (ii) the establishment of cybersecurity strategy and cybersecurity supply chain risk management; (iii) roles, responsibilities and authorities; policy; and the oversight of cybersecurity strategy.
Aside from the new Govern element, the new Framework includes the original five elements: (1) Identify; (2) Protect; (3) Detect; (4) Respond; and (5) Recover.
Identify: The organization’s current cybersecurity risks are understood. Understanding the organization’s assets, suppliers and related cybersecurity risks enables an organization to prioritize its efforts.
Protect: Safeguards to manage the organization’s cybersecurity risks are used. Protect supports the ability to secure those assets to prevent or lower the likelihood and impact of adverse cybersecurity events.
Detect: Possible cybersecurity attacks and compromises are found and analyzed. Detect enables the timely discovery and analysis of anomalies, indicators of compromise and other potentially adverse events.
Respond: Actions regarding a detected cybersecurity incident are taken.
Recover: Assets and operations affected by cybersecurity incident are restored.
Aside from the new Govern element, there is additional guidance on supply chain risks, where the Framework emphasizes the complex, globally distributed, extensive and interconnected supply chain ecosystem. The Framework discusses the importance of supply chain risk management and cybersecurity supply chain risk management as an important part of the overall analysis.
The Framework cites in several sections to need to respond to information collected from internal reviews and the need to document risks. In referring to improvement, the Framework suggests that organizations should conduct an annual review of cybersecurity policies and procedures and incorporate information learned from such reviews into their cybersecurity programs.
