What has changed?
Three key changes to highlight in the draft CSF are:
Title, scope, implementation examples and references
The title has changed to the commonly used name, “Cybersecurity Framework” from the original “Framework for Improving Critical Infrastructure Cybersecurity.” The scope of the framework has been updated to reflect its applicability to all organisations across the world. The previous framework emphasised securing United States’ critical infrastructure. Updates to the CSF include Implementation Examples at the Sub-category level, to help organisations achieve outcomes, as well as references to standards, guidelines, regulations, and other resources to help inform how an organisation achieves the Functions, Categories, and Sub-categories.New governance function
In order to respond to challenges of enterprise, financial and legal risks, the CSF introduces a new "Govern" function in addition to the previous existing functions of “Identify”, “Protect”, “Detect”, “Respond”, and “Recover”.
The new “Govern” function highlights the role of the business and the importance of the alignment between security and the organisation's strategic objectives. "Govern" also provides additional guidance on Enterprise Risk Management.Changes to Functions, Categories and Sub-categories
As mentioned, the substantial update has resulted in a change to the number of Functions, Categories and Sub-categories in the Framework.
| CSF 1.1 | CSF 2.0 | |
|---|---|---|
| Functions | 5 | 6 |
| Categories | 23 | 22 |
| Sub-catgories | 108 | 106 |
NIST's key timeline for CSF 2.0
August 2023
Draft 2.0
September 2023
Workshop #3
November 2023
Comments due
Early 2024
Release date
NIST have stated that v 2.0 will be released in early 2024: any comments or feedback must be provided to NIST by November 2023.
CSF 2.0 is a voluntary framework. Organisations can determine their own timeline to update profiles or maturity assessments developed with reference to the previous iteration of the Framework.
For those organisations seeking to use CSF 2.0 for the first time, the draft CSF 2.0 can be reviewed now to consider its applicability and utility.
Considerations for action
Move now, get ahead
Have you considered what the publication of NIST CSF 2.0 may mean for your organisation?
Will you need to update existing profiles or maturity assessments developed with reference to NIST CSF version 1.1? Will changes to CSF Functions and Categories impact your current and target state? Will weighting changes within Functions have an impact?
Executive readiness
Do your executives have strategic oversight of cybersecurity risk management and supply chain management?
The new Govern function sets out a framework for organisations to establish and monitor their cybersecurity risk management strategy and risk appetite, including supply chain risk management.
Integration with privacy and risk management
How does your existing management of cybersecurity risk intersect with other risk areas?
CSF 2.0 provides guidance on how the Framework overlaps with or intersects with other areas including privacy risks, operational and physical security risks.
Measurement and improvement
How do you identify and evaluate improvements to cybersecurity risk management processes? Are lessons learned used to identify improvements?
The new Improvement category within the Identify Function emphasises the importance of continuous improvement.
1 National Institute of Standards and Technology, US Department of Commerce
Contact us
Follow PwC Australia
