The National Institute of Standards and Technology (NIST) has been a leading voice in cybersecurity standards since 2013, when President Obama’s Executive Order on Improving Critical Infrastructure Cybersecurity tasked NIST, which is embedded within the Department of Commerce, with developing and updating a cybersecurity framework for reducing cyber risks to critical infrastructure. The first iteration of that framework was released in 2014, and Versions 1.1 and 2.0 followed in 2018 and 2024. NIST guidance has also expanded to include a privacy framework, released in 2020, and an AI risk management framework, released in 2023. This year, NIST made updates to both its cybersecurity and AI risk management frameworks and created a holistic data governance model that aims to provide a comprehensive approach for entities to address issues like data quality, privacy, security, and compliance, leveraging the various NIST frameworks under a unified data governance structure to help framework users address broader organizational risks. A retrospective of these developments and predictions for 2025 are detailed in this post.
Cybersecurity. The NIST Cybersecurity Framework (CSF) provides guidance to organizations for the management of cybersecurity risks and can help identify gaps in an organization’s cybersecurity practices by reflecting existing best practices and setting out key cybersecurity considerations for companies to consider when designing a comprehensive cybersecurity program. While the CSF is voluntary for most organization, adherence to NIST is a necessary condition for conducting some government contracts or operations within the federal system. Many more organizations, however, voluntarily choose to employ NIST as a helpful tool to understand, manage, and reduce their cybersecurity risk, and adoption of the CSF is increasingly becoming a standard practice for many companies in the private sector, as it is often cited both in engagement with and response to contractual agreements between private parties, regulatory inquiries, and private litigation.
A decade after its first release, and building on top of an interim 2018 update (Version 1.1), this year NIST updated the CSF and changed the title from “Framework for Improving Critical Infrastructure Cybersecurity” to the much more widely applicable “The Cybersecurity Framework,” signaling increased adoption of the framework across sectors. Having expanded the framework’s design to appeal to all audiences and industries, Version 2.0 focuses on making the framework accessible across a spectrum of existing cybersecurity sophistication by adding features like implementation examples, quick-start guides, and community profiles designed to illustrate how peer organizations are leveraging the CSF.
The framework was originally organized around five functions—Identify (recognize and understand organizational cyber risks), Protect (develop and implement appropriate safeguards), Detect (find cybersecurity intrusions and attempted intrusions), Respond (react to and take action regarding a detected cybersecurity incident), and Recover (plan for resiliency and maintain or restore services impaired by a cybersecurity incident). The new guidance also includes a sixth function, Governance, reflecting increased attention to how an organization will manage and implement the program using the original five functions.
The CSF 2.0 revisions make clear that it is no longer enough for companies to deploy even robust technical cybersecurity controls if they do not deploy commensurate governance controls, including having senior cybersecurity and non-cybersecurity executives communicate regularly and monitoring cybersecurity risk in the same context as financial risk. Today’s reality, as reflected by CSF 2.0, is that cybersecurity strategy, policies, processes, and procedures are just as important as identifying or protecting from outside threats to the organization.
AI Risk Management. NIST issued Version 1.0 of its Artificial Intelligence Risk Management Framework (AI RMF) in January 2023, contributing not just to cohesion among emerging U.S. policy on AI, but also to ongoing international debate on AI policy and development. Like the Cybersecurity Framework, the AI RMF is intended to be a voluntary, adaptable, and living framework to guide organizations in (1) identifying and (2) assessing and managing risks in the AI context. Owing to the more evolving nature of AI policy and standards development, the AI RMF offers less granular implementation guidance than some of NIST’s other frameworks and includes fewer references to international standards. NIST does not expect to conduct a full formal review of Version 1.0 until 2028, but that does not rule out the possibility of an earlier interim update akin to the CSF version 1.1. Considering again the more evolving nature of AI technologies and associated risk management, an iterative approach may make just as much, if not more, sense in this context than in the cybersecurity context.
The President’s FY 2025 budget request for NIST, totaling $1.5 billion, included $50 million to conduct AI research, establish testing infrastructure, develop technical guidance to measure and manage AI risks, and implement best practices and frameworks. When appearing before Congress to speak to the Institute’s FY25 budget request, Laurie Locascio, Under Secretary of Commerce for Standards and Technology and Director of NIST, emphasized NIST’s role in building national trust in new technologies such as quantum computing (through the National Quantum Initiative Act of 2018) and AI systems (through the AI RMF); its testing and evaluation work; and the newly launched U.S. AI Safety Institute. Shortly after this appearance before Congress, in July, NIST released NIST-AI-600-1, Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile, developed in part to fulfill the October 2023 Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence and supplementing the more general AI RMF, to help organizations identify unique risks posed by generative AI, and it proposes actions for generative AI risk management.
NIST in 2025 and Beyond. The release and steady adoption of the CSF, including as encouraged by executive order, has gradually led the framework to become a touchstone and reference point for private industry, outlining a flexible approach to helping organizations think about cybersecurity comprehensively. NIST is now working to strengthen its Cybersecurity Framework by creating a new Joint Frameworks Data Governance Management Profile, which will help integrate the CSF into NIST’s other risk management frameworks for AI and privacy. NIST released a concept paper in June 2024 that proposes four data governance objectives—data quality, data ethics, accountability, and data value—as well as specific data governance and management activities against which NIST’s Cybersecurity, AI, and Privacy frameworks may be mapped. Of the three frameworks proposed for integration, the CSF is far and away the most widely adopted and successful, while its privacy counterpart remains largely extraneous and has seen little uptake, and the AI RMF is still too new to gauge its impact or success. While adhering to the NIST CSF remains voluntary, it has come to be expected as a baseline for assessing a company’s cybersecurity posture, whether in the course of a regulatory inquiry, when purchasing or renewing cyber insurance, following an incident, or in the context of a corporate transaction. Indeed, the CSF has even been implemented by, or served as the model framework for, international governments developing their own cybersecurity frameworks. It remains to be seen whether the AI RMF will see similar domestic and foreign uptake and influence, but it appears well-positioned to do so. Organizations should continue to consider how best to implement the principles of the CSF, including its recently added Governance function, with smaller organizations and those with less mature cyber programs leveraging new resources geared towards implementation that can be tailored based on business sector and size. Additionally, any organizations considering the development or use of AI should be familiar with the AI RMF and its accompanying materials and implementation guidance to best position themselves when and if this new framework enjoys a similar status domestically and internationally to that of the CSF.
For more information on PLI’s new edition of its cyber law treatise, Cybersecurity: A Practical Guide to the Law of Cyber Risk, click here.