NIST CSF 2.0 Draft Emphasizes Cybersecurity Governance

The National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) has helped organizations of various sizes and across industries better manage their cyber risk. Now, the recently released NIST CSF 2.0 draft addresses new concerns facing cybersecurity teams and adds a “Govern” function to the guidance.  

The five functions previously outlined were Identify, Protect, Detect, Respond and Recover. These functions are the core actions necessary to protect an organization’s data: teams must record the risks they face, implement safeguards against those risks, and prepare procedures for mitigating the impact of an incident if it occurs. The new draft adds the Govern function, which helps organizations prioritize actions across the other five areas, assign roles and responsibilities to encourage tighter procedures, and achieve oversight into cybersecurity strategy. If the other functions cover the actions a cybersecurity team needs to take, then the Govern function provides guidance for organizing a team that gets those things done in a consistent manner. 

The Govern function covers six categories: 

Organizational Context: Addresses the factors, distributed through the rest of the organization, that determine how cybersecurity decisions are made. This includes the organization’s mission, internal and external stakeholders, and legal, regulatory and contractual requirements. 

Risk Management Strategy: Ensures that stakeholders across the organization have communicated their needs and established risk management priorities. Includes determining an appropriate risk appetite, integrating cybersecurity into enterprise risk management processes, establishing lines of communication for cybersecurity risks, and developing a standardized method for documenting and prioritizing cybersecurity risks. 

Cybersecurity Supply Chain Risk Management: Ensures that supply chain decisions are made in accordance with cybersecurity priorities. Includes establishing a cybersecurity supply chain risk management program, establishing cybersecurity roles and responsibilities for third-party personnel, and integrating supply chain management with internal cybersecurity. 

Roles, Responsibilities and Authorities: Fosters accountability and continuous improvement by identifying cybersecurity roles and responsibilities. This means granting organizational leadership responsibility and accountability for cybersecurity risk, establishing roles related to cybersecurity risk management, allocating resources for managing cybersecurity risk and including cybersecurity in human resources practices. 

Policies, Processes and Procedures: Encourages consistent operations by establishing, communicating and enforcing cybersecurity policies and procedures. This should include the developing of processes that address the factors identified in the organizational context category and regularly updating policies to keep up with a changing risk environment. 

Oversight: Encourages cybersecurity programs to optimize their procedures by tracking outcomes and adjusting their strategy accordingly. Includes tracking cybersecurity risk management performance metrics, reviewing outcomes, adjusting priorities. 

By mapping your controls to this function and each of its subcategories, you can better understand the areas where your governance practices are proficient and where you could improve them. With ProcessUnity for Cybersecurity Risk Management, you can map your controls to the NIST CSF and track your cybersecurity governance policies. While NIST CSF 2.0 is still in development, ProcessUnity will work to keep its control mappings up-to-date as soon as the new guidance is codified.