NIST adds Governance Function to Cybersecurity Framework

August 11, 2023

By Jessica Davis

The National Institute of Standards and Technology issued a draft of the first major update to its Cybersecurity Framework (CSF), widely viewed as the cyber standard for critical infrastructure.

NIST is seeking comment on the updated framework to ensure the revisions effectively address the current and anticipated future cybersecurity challenges across all sectors, as well as whether it’s aligned with leading practices and reflective of the previous round of comments. The hope is for concrete suggestions to improve the current draft and the best way to present these changes.

The crux of these edits is an expansion of cybersecurity guidance for all organizations regardless of size. But the updates to the primary measures written into the CF in the initial 2014 release also include an additional function: Governance.

The new govern function covers organizational context and risk management strategies, policies and procedures, along with roles and responsibilities. The risk context, of course, includes organizational mission priorities, which must be understood and prioritized by network defenders and leveraged to inform all related risk management decisions, according to the update.

For Buddy Hickman, Chief Strategy Officer of First Health Advisory, the new draft framework provides “not only provides the means to measure your organization’s cybersecurity capabilities and maturity, but it also now provides a ‘scorecard’ for your leaders, as well.”

However, there’s room for clarity in the update to plainly state that Governance applies to both the board and as shared management. The governance aspects of the board and management “must be in concert to effectively deliver a cyber secure organization,” he explained.

Governance is “both a board and management matter,” said Hickman. If you’re only measuring governance only with management and not talking to the board about it, it won’t be effective, and vice versa. Breaking down those silos and harmonizing leadership is imperative to an effective governance program.

Further, the new govern function lifts some elements from other categories of the initial 1.1 framework, with the addition and emphasis of the importance of governance and risk management roles, activities, platforms, technologies, and investments as critical in assuring your organization.

And Hickman notes that he hopes “both will be clearly addressed when the final 2.0 framework is released.”

“Management is responsible for leading a performing cybersecurity program that gives care to people, process, technologies, and data – current state and forward looking,” said Hickman. “That requires articulation of roles and accountabilities, laying out a roadmap to address risk-scored vulnerabilities, and executing on that agreed plan.”

“Similarly, boards need to be keenly aware of the risk posture of the organizations that they govern to conduct their duties,” he continued. It’s the board who’s accountable for “assuring the organization’s future, including decisions made regarding resourcing cyber investments, sourcing alternatives, cyber liability insurance, cyber-related talent acquisition, and supply chain assurance.”

Supply chain is also a focus of the governance function. As seen with the pandemic, supply chain, particularly with technology, can disrupt business operations and impact overall cybersecurity.

The recent Congressional review of the Pandemic and All Hazards Act (PAHPA) demonstrated the importance of protecting supply chain from disruption, including risks to pharmaceutical, biomedical devices, PPE, and other concerns. These actions “underscore that the cybersecurity risk assurance program should not be looked at as standalone but harmonized with other risk assurance matters of your organization,” said Hickman.

“In healthcare cybersecurity is vital to the mission of patient care and population health.  The disruptions to care delivery, care access, business operations, and patient privacy caused by untoward cyber events runs beyond the impacts of other industries,” he added.