Updated NIST cybersecurity framework adds core function, focuses on supply chain risk management

10 years after the agency’s first cybersecurity framework, version 2.0 includes “govern” as a core function to set the tone for implementation and oversight of cyber strategies.
(Getty Images)

A decade after releasing its landmark national cybersecurity framework, the National Institute of Standards and Technology on Monday released version 2.0, an updated document that emphasizes governance and supply chain issues for both public and private sector entities. 

The new guidance, which outlines “high-level cybersecurity outcomes that can be used by any organization … to better understand, assess, prioritize and communicate its cybersecurity efforts,” adds a sixth core function — “govern” — to the previously stated pillars: “identify,” “protect,” “detect,” “respond,” and “recover.” 

“Govern” focuses on how an organization’s “cybersecurity risk management strategy, expectations and policy are established, communicated and monitored,” the framework stated, and is intended to address the implementation and oversight of a cybersecurity strategy. 

“‘Govern’ really represents the fact that we have to bring this into the boardroom for discussion,” Laurie Locascio, director of NIST and under secretary of Commerce for Standards and Technology, said during an Aspen Digital event Monday. “That took a lot of discussion really across all the stakeholders, because it is a big change” going from five core functions to six in the framework. 


Locascio noted that 10 years ago, before NIST’s initial CSF was launched, there was discussion about the elements of “govern,” but agency leaders “really weren’t ready yet to incorporate it.” But it was a priority for the latest iteration of the framework, especially the focus on the supply chain, which is listed underneath the “govern” pillar.

The document’s spotlight on supply chain risks covers how various types of technologies rely on a complex ecosystem for outsourcing, which involves geographically diverse routes for both private and public sector organizations that offer a variety of services. In the updated CSF, NIST points to Cybersecurity Supply Chain Risk Management (C-SCRM) as a systemic process to manage exposure to cybersecurity risks by developing appropriate “strategies, policies, processes and procedures.”

Along with the overall framework, NIST released the CSF’s Quick Start Guides (QSG) with implementation examples that allow entities to “view and download notional examples of concise, action-oriented steps to help achieve the outcomes of the CSF 2.0 subcategories in addition to the guidance provided in the informative references.”

In creating the new framework, Locascio said NIST fielded comments from stakeholders regarding the draft CSF document, but was not able to accept every single comment. 

“You come to a consensus, you have a larger discussion, but every single conversation, I think, led to a better place,” Locascio said. “When we didn’t accept something verbatim … there was a reason and we talked through it together. I think that also engenders trust because we were very transparent about the process, very openly engaged and really valued your feedback.”

Latest Podcasts