On February 26, 2024, the U.S. National Institute of Standards and Technology (“NIST”) published version 2.0 of its Cybersecurity Framework.  Originally released in 2014 and updated in 2018 and now 2024, the NIST Cybersecurity Framework (“CSF” or “Framework”) “offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts.”  Globally, organizations, industries, and government agencies have increasingly relied upon the Framework to establish cybersecurity programs and measure their maturity.  NIST had proposed some potentially significant updates to the Framework in a Concept Paper published on January 19, 2023, which this Version 2.0 follows. 

Significant Updates.  The CSF 2.0 incorporates some significant updates to the Framework, including: 

  • Expanded Application – Although the original Framework was developed to address critical infrastructure cybersecurity risks, the Framework has become much more widely used in practice, including internationally.  CSF 2.0 recognizes this broader scope of the Framework and acknowledges that it “is designed to be used by organizations of all sizes and sectors, including industry, government, academia, and nonprofit organizations, regardless of the maturity level of their cybersecurity programs.” 
  • New “Govern” Function – The original five functions of the Framework – Identify, Protect, Detect, Respond, and Recover – have been expanded to include a new, sixth function:  Govern.  The new Govern function looks to whether an “organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.”  In particular, the function “addresses an understanding of organizational context; the establishment of cybersecurity strategy and cybersecurity supply chain risk management; roles, responsibilities, and authorities; policy; and the oversight of cybersecurity strategy.”  According to NIST, “[t]he governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation.”
  • Increased Focus on Cybersecurity Supply Chain Risk Management (“C-SCRM)” – As part of the Govern function, the CSF 2.0 includes a category on C-SCRM, which expands upon the C-SCRM category that was previously outlined in the Identify function of the CSF 1.1 (ID.SC).  Overall, the C-SCRM category looks to whether an organization’s “[c]yber supply chain risk management processes are identified, established, managed, monitored, and improved by organization stakeholders.”  For example, some of the C-SCRM subcategories address whether C-SCRM is integrated into an organization’s cybersecurity and risk management processes, whether an organization performs due diligence to reduce risks before establishing supplier relationships, and whether suppliers’ performance is monitored throughout the technology or service life cycle, among other aspects.
  • New Reference Tools – Along with the CSF 2.0, NIST has released additional tools and resources to assist organizations with implementing the Framework, such as new Implementation Examples.  In particular, NIST has published new Quick Start Guides “designed for specific types of users, such as small businesses, enterprise risk managers, and organizations seeking to secure their supply chains.”  For example, NIST has released a C-SCRM Quick Start Guide that outlines how to use the Framework to establish and operate a C-SCRM capability.  Similarly, NIST has published an Enterprise Risk Management Quick Start Guide that provides an introduction into “planning and integrating an enterprise-wide process for integrating cybersecurity risk management information[.]”  Separately, NIST has also released a new CSF 2.0 Reference Tool that allows users to explore the Framework functions, export sections for reference, and filter for Informative References that “show the connection between the CSF 2.0 and other cybersecurity frameworks, standards, guidelines, and resources.” 

Looking Ahead.  Following the publication of the CSF 2.0, NIST has stated that the Implementation Examples and the Informative References “will be updated more frequently than the rest of the Core.”  These resources will be published and maintained online.

Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and serves as co-chair of Covington’s global and multi-disciplinary Internet of Things (IoT) group. She also represents and advises domestic and international…

Micaela McMurrough has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and serves as co-chair of Covington’s global and multi-disciplinary Internet of Things (IoT) group. She also represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Photo of Ashden Fein Ashden Fein

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing…

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Mr. Fein frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, and destructive attacks.

Additionally, Mr. Fein assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, and requirements related to supply chain security.

Before joining Covington, Mr. Fein served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Mr. Fein currently serves as a Judge Advocate in the U.S. Army Reserve.

Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.

Photo of Matthew Harden Matthew Harden

Matthew Harden is a litigation associate in the firm’s New York office and advises on a broad range of cybersecurity, data privacy, and national security matters, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, and regulatory inquiries.