Why is NIST adding Governance to the NIST CSF 2.0?

New NIST CSF 2.0 guidelines adds Governance to core functions

· 2 MIN READ · SHAD RAHMAN · JAN 30, 2024 · TAGS: NIST / Tech tools

Security organizations of all shapes and sizes, across every vertical eagerly anticipate the National Institute of Standards and Technology’s (NIST) release of version 2.0 of its Cybersecurity Framework (CSF). The NIST CSF is one of the most widely adopted frameworks for orgs to assess their cybersecurity readiness and also to map out the best path to get from where they are now to where they want to go in the future.

In fact, a recent study performed by the SANS Institute (and sponsored by Expel) found that nearly three-quarters (74%) of the companies that employ a framework use the NIST CSF—almost twice as many as the next top contenders (ISO 27001, NIST 800-37, and MITRE).

Even though NIST hasn’t officially released version 2.0 yet (it’s anticipated to go live any day now), the institute has shared a lot of information about what it plans to include. One of the biggest changes is the addition of Govern to the Framework Core Functions—joining Identify, Protect, Detect, Respond, and Recover—aimed at organizing cybersecurity outcomes at their highest level.

Why is NIST adding Govern to the NIST CSF 2.0?

The Govern function provides context that helps orgs establish and monitor their cybersecurity risk management, strategy, expectations, and policy. NIST describes the Govern function as “cross-cutting,” and it’s designed to help security teams prioritize the outcomes outlined in the other five functions.

As NIST says in its CSF 2.0 draft:

Governance activities are critical for incorporating cybersecurity into an organization’s broader enterprise risk management strategy. Govern directs an understanding of organizational context; the establishment of cybersecurity strategy and cybersecurity supply chain risk management; roles, responsibilities, and authorities; policies, processes, and procedures; and the oversight of cybersecurity strategy.

What will fall into the Govern function in NIST CSF 2.0?

We won’t know for sure what the Govern function will include until NIST publishes CSF 2.0, but we know what the institute is proposing. Here’s a bit more context about the categories that could come under the Govern function, according to NIST:

  • Organizational context: the circumstances—mission, stakeholder expectations, legal, regulatory, and contractual requirements—surrounding the organization’s cybersecurity risk management decisions are understood.
  • Risk management strategy: the organization’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions.
  • Cybersecurity supply chain risk management: cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders.
  • Roles, responsibilities, and authorities: cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated.
  • Policies, processes, and procedures: organizational cybersecurity policies, processes, and procedures are established, communicated, and enforced.
  • Oversight: results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy.

If you want to get even more granular to understand the specific outcomes for each category, you can review the public draft document. Skip down to pages 30-33 to see the subcategories, but make sure to give the full document a read. There’s lots of useful insights that offer a preview into the changes coming in CSF 2.0.

How will the Govern function impact my CSF scoring?

Like NIST said, the Govern function is meant to be “cross-cutting,” meaning that it informs how an org will implement the other functions. In fact, all the framework functions are interwoven with one another, but Govern is designed to tie them all together.

In theory, if you’re improving your Govern capabilities, you’re also improving in other functions and categories, too. If you find that you’re weak in some of the categories under Govern, you’ll likely be able to pinpoint specific areas in other functions that will improve your outcomes overall.

If you’d like to get a headstart on scoring your org against the CSF, you can do that with our current self-scoring tool using our spreadsheet and getting-started guide or, if you’re a customer, conveniently within Expel Workbench™.

And don’t worry, once NIST publishes CSF 2.0, our team will be working hard to update these tools and our other resources.