NIST updates cybersecurity framework; Biden issues national security EO

Revised cybersecurity framework aims to help all organizations to manage and reduce risks.

The National Institute of Standards and Technology (NIST) has just updated its widely used Cybersecurity Framework (CSF), the landmark guidance document for reducing cybersecurity risk. The new 2.0 edition, the first major update since the framework’s creation in 2014, is designed for all audiences, industry sectors and organization types, from the smallest nonprofits to the largest corporations.

NIST, a part of the US Department of Commerce, has not updated these standards since 2014. In response to an executive order from President Barrack Obama, NIST first released the CSF to help organizations understand, reduce and communicate about cybersecurity risk.

CSF 2.0

The CSF is the landmark guidance document for reducing cybersecurity risk. The new 2.0 edition is now specifically designed for all audiences, industry sectors and organization types, from the smallest nonprofits to the largest corporations, regardless of their degree of cybersecurity sophistication.

In response to the numerous comments received to its draft proposal, NIST has expanded the CSF’s core guidance to make the framework easier to put into action.  

The CSF 2.0, which supports implementation of the National Cybersecurity Strategy, has an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector. It also has a new focus on governance, which encompasses how organizations make and carry out informed decisions on cybersecurity strategy.

The CSF’s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation. 

The framework’s core is now organized around six key functions: Identify, Protect, Detect, Respond and Recover, along with CSF 2.0’s newly added “Govern” function to provide a comprehensive view of the life cycle for managing cybersecurity risk.

The updated framework anticipates that organizations will come to the CSF with varying needs and degrees of experience implementing cybersecurity tools, with quick-start guides provided to help smaller entities, and specific guidance added to help enterprise risk managers and organizations seeking to secure their supply chains. 

A searchable catalog allows an organization to cross-reference the CSF’s guidance to more than 50 other cybersecurity documents, and it offers instructions on how to communicate these ideas to both technical experts and the C-suite, so all levels of an organization can stay coordinated.

Suite of resources

“Developed by working closely with stakeholders and reflecting the most recent cybersecurity challenges and management practices, this update aims to make the framework even more relevant to a wider swath of users in the United States and abroad,” according to Kevin Stine, chief of NIST’s Applied Cybersecurity Division. 

“The CSF has been a vital tool for many organizations, helping them anticipate and deal with cybersecurity threats,” said Laurie E Locascio, Under Secretary of Commerce for Standards and Technology and NIST Director. “CSF 2.0, which builds on previous versions, is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve.

New executive order

On Wednesday, the Justice Department (DOJ) announced that President Biden would be issuing a “groundbreaking” executive order (EO) addressing the national security threat posed by the continued effort of certain countries of concern to access Americans’ bulk sensitive personal data and certain US government-related data.

The EO is titled Preventing Access to Americans’ Bulk Sensitive Personal Data and U.S. Government-Related Data by Countries of Concern, and it will direct the DOJ to establish, implement and administer new and targeted national-security programming to address this threat.

In accordance with the EO, the DOJ’s National Security Division will implement its provisions on behalf of the Attorney General, and it contemplates identifying China, Russia, Iran, North Korea, Cuba, and Venezuela as countries of concern under this program.

The Division will soon describe the initial categories of transactions involving bulk sensitive personal data or certain US government-related data as outlined in the EO and seek public comment on what the DOJ contemplates regulating, including prohibitions on data brokerage and transfers of genomic data, and restrictions on vendor, employment, and investment agreements.