hacking-3112539_640

On February 26, 2024, the National Institute of Standards and Technology (“NIST”) released version 2.0 of its Cybersecurity Framework (“CSF 2.0”)—the first significant update to the cybersecurity guidance since its initial publication a decade ago.[1] While the original guidance was tailored to critical infrastructure entities, the new version has a broader scope and applies to organizations of all sizes across industries, from large corporations with robust data protection infrastructure to small schools and nonprofits that may lack cybersecurity sophistication.[2] CSF 2.0 notably incorporates new sections on corporate governance responsibilities and supply chain risks; additionally, NIST has released supplemental implementation guides and reference tools that can assist organizations measure cybersecurity practices and hone data protection priorities.[3]

NIST Cybersecurity Framework

Founded in 1901, NIST, now an agency of the U.S. Department of Commerce, advances measurement science, establishes standards, and operates advanced laboratories focused on new technologies, including the U.S. Artificial Intelligence Safety Institute.[4] The need for the kind of standardization NIST promulgates was highlighted in 1904 during the Great Baltimore Fire. After fire companies from nearby states rushed to assist relief efforts in the overwhelmed Maryland city, more than 1,500 buildings nevertheless burned as the result of a lack of uniform fire-hose fittings.[5] Following the conflagration, NIST participated in the creation of national fire protection standards.

Though cybersecurity in 2024 is certainly more complicated than deploying the right digital fire hose, NIST’s Cybersecurity Framework provides a “common language” and “systematic methodology” for managing ever changing cyber threats.[6] CSF 2.0 is a long-awaited update to the guidance, which was first published in 2014—a year after President Obama signed an executive order to establish standards to secure networks against online threats—and was subsequently tweaked in April 2018.[7] These initial versions are organized around five key functions—Identify, Protect, Detect, Respond, and Recover—addressing preventative and reactive data protection measures.[8]

Since its publication a decade ago, the NIST Cybersecurity Framework has formed the baseline for managing and reducing cybersecurity risk—helping some adherent companies avoid enforcement action and litigation that could arise from failed information security and, in certain cases, providing regulators with ammunition to pursue firms that misrepresent their cybersecurity posture.[9] In October 2023, the SEC sued software company SolarWinds and its chief information security officer (“CISO”) for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.[10] From January 2019 to December 2020, SolarWinds fell victim to one of the most sophisticated nation-state cyber attacks in history—one that purportedly exploited various internal cybersecurity failings. Specifically, the SEC contends that SolarWinds issued public statements prior to the attack that “touted the Company’s supposedly strong cybersecurity practices,” including representing that it “complied with the NIST Framework for evaluating cybersecurity” when the company, in fact, apparently failed to meet most standards in the guidance.[11] The SEC devotes an entire section of its complaint to SolarWinds’ allegedly misleading claims regarding the NIST Cybersecurity Framework.

Interrelated NIST Guidance and Initiatives

CSF 2.0 is part of a panoply of NIST guidances that include the Privacy Framework, which is currently undergoing a modest update to realign with CSF 2.0, as well as the AI Risk Management Framework (“AI RMF”), released a year ago. As noted, NIST houses the U.S. Artificial Intelligence Safety Institute, which is leading the government’s efforts to set technical standards for AI testing and evaluation. However, budget constraints have reportedly left the institute with a skeletal staff and degraded laboratory conditions. Moreover, lawmakers recently released a new spending plan that would cut NIST’s overall budget by more than 10 percent, to $1.46 billion.[12] While lawmakers propose to invest $10 million in the institute, that is a fraction of what other countries are spending on AI; by comparison, Great Britain has poured more than $125 million into AI safety efforts.[13]

Key Elements of CSF 2.0

The final version of CSF 2.0 is the product of a two-year iterative process involving multiple drafts released for public comment, various workshops, and other forms of industry engagement.[14] Like its predecessor guidance, CSF 2.0 is a voluntary framework intended to be a “living document” refined over time in order to “keep pace with technology and threat trends, integrate lessons learned, and move from best practice to common practice.” [15]

Broad Applicability

Though previous versions of the Cybersecurity Framework addressed critical infrastructure, the guidance ultimately became more widely used in practice. A key update to CSF 2.0 is that it is officially adaptable to organizations of all sizes and types regardless of an institution’s cybersecurity maturity level. New adopters will likely benefit from NIST’s supplemental “Implementation Examples” that enable users to easily review and export core guidance information and take action-oriented compliance steps.[16]

Added “Govern” Function

CSF 2.0 retains the five core functions from previous versions and notably adds a sixth: Govern. The Govern function requires an organization to ensure that its “cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.”[17] Although drafted as a CSF core function, Govern really operates as the umbrella organizational principle since, according to NIST, cybersecurity governance “informs how an organization will implement the other Five functions.”[18]

CSF 2.0’s added corporate governance language is directed at senior management, which is increasingly being held responsible by regulators for firms’ cybersecurity adequacy. As discussed, the SEC recently filed a lawsuit against SolarWinds and its CISO—the commission’s first cybersecurity lawsuit against an individual (and first cybersecurity action with scienter fraud charges). Additionally, the agency’s new cybersecurity disclosure rules for public companies require that firms disclose in annual reports on Form 10-K information regarding cybersecurity risk management and governance, including management’s role in assessing and managing material risks from cybersecurity threats and (as applicable) which management positions or committees are responsible for cyber threats, and their relevant expertise.[19] Other regulators have increasingly focused on cyber governance. Under the New York State Department of Financial Services’ amended Part 500 Cybersecurity Regulations, for example, an institution’s “senior governing body”—a board of directors, board committee, or equivalent governing body—must oversee the entity’s cybersecurity risk management and approve written policies for the protection of  information systems and non-public information stored on those systems at least annually, as well as review regular management reports about cyber issues.[20]

Supply Chain Risk Management

The new Govern function focuses on supply chain risk management and evolving expectations about use of third-party vendors. CSF 2.0 indicates that organizations should have a “supply chain vendor risk management program” that is integrated into the firm’s overall cybersecurity and enterprise risk management, risk assessment, and improvement processes.[21] Additionally, under the updated framework, an institution should ensure that it incorporates into its contracts with third parties requirements to address cybersecurity risks in supply chains.[22]

Looking Ahead

It is important for organizations that have reviewed and implemented the Cybersecurity Framework—particularly public companies that now must disclose information regarding their cyber governance and risk management processes—to thoroughly review CSF 2.0 and ensure that any disclosures about the guidance or other information security standards are accurate and up to date.

***

For more analysis on how the NIST guidance affects the health care sector, please see the Ropes & Gray Client Alert.

[1] Nat’l Inst. of Standards and Tech., NIST Cybersecurity Framework (CSF) 2.0 (Feb. 26, 2024), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf.

[2] Nat’l Inst. of Standards and Tech., NIST Releases Version 2.0 of Landmark Cybersecurity Framework (Feb. 26, 2024), https://www.nist.gov/news-events/news/2024/02/nist-releases-version-20-landmark-cybersecurity-framework.

[3] See supra note 1.

[4] Nat’l Inst. of Standards and Tech., NIST History, https://www.nist.gov/history.

[5] Nat’l Inst. of Standards and Tech., Standards, https://www.nist.gov/standards.

[6] Nat’l Inst. of Standards and Tech., CSF 1.1 Uses and Benefits of the Framework, https://www.nist.gov/cyberframework/uses-and-benefits-framework.

[7] See Executive Order on Improving Critical Infrastructure Cybersecurity (Feb. 12, 2013), https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.

[8] See Nat’l Inst. of Standards and Tech., NIST Cybersecurity Framework (CSF) 1.0 (Feb. 12, 2014), https://www.nist.gov/system/files/documents/cyberframework/cybersecurity-framework-021214.pdf.

[9] The Cybersecurity Framework has been downloaded more than 2 million times by users across more than 185 countries and has been translated into at least nine languages. Nat’l Inst. of Standards and Tech., NIST Drafts Major Update to Its Widely Used Cybersecurity Framework (Aug. 8, 2023), https://www.nist.gov/news-events/news/2023/08/nist-drafts-major-update-its-widely-used-cybersecurity-framework.

[10] Sec. & Exch. Comm’n, Press Release, SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures (Oct. 30, 2023), https://www.sec.gov/news/press-release/2023-227.

[11] Complaint, Sec. & Exch. Comm’n v. SolarWinds Corp. No. 1:23-cv-9518 (S.D.N.Y. Oct. 30, 2023), https://www.sec.gov/files/litigation/complaints/2023/comp-pr2023-227.pdf.

[12] Cat Zakrzewski, This Agency is Tasked with Keeping AI Safe. Its Offices Are Crumbling, Wash. Post (Mar. 6, 2024), https://www.washingtonpost.com/technology/2024/03/06/nist-ai-safety-lab-decaying.

[13] Id.

[14] Nat’l Inst. of Standards and Tech., NIST’s Journey to CSF 2.0, https://www.nist.gov/cyberframework/nists-journey-csf-20.

[15] Id.

[16] Nat’l Inst. of Standards and Tech., NIST Implementation Examples (Feb. 26, 2024), https://www.nist.gov/system/files/documents/2024/02/21/CSF%202.0%20Implementation%20Examples.pdf.

[17] Supra note 1.

[18] Id.

[19] Sec. & Exch. Comm’n, Statement from Erik Gerding on Cybersecurity Disclosures (Dec. 13, 2023), https://www.sec.gov/news/statement/gerding-cybersecurity-disclosure-20231214.

[20] 23 NYCRR §§ 500.3– 500.4.

[21] Supra note 1.

[22] Id.