NIST’s Updated Cybersecurity Framework – Contractor Implications

The National Institute of Standards and Technology (NIST) has released an update to their overarching cybersecurity guidance to help organizations manage and reduce their cybersecurity risks. The Cybersecurity Framework (CSF) 2.0 is NIST’s first major update to the framework since its creation in 2014 and is the result of a multi-year process of discussions and public feedback aimed at making the framework even more effective.

CSF 2.0 – Key Highlights

Broader Scope – NIST has expanded the target audience of the CSF from its original target audience of critical infrastructure organizations to now seek to help all types and sizes of organizations, across all sectors and markets, to manage and reduce cyber risks.

Second, CSF 2.0 has expanded its existing five core functions – Identify, Protect, Detect, Respond, and Recover – to now include a sixth – Govern. This overarching Govern function is intended “to inform what an organization may do to achieve and prioritize the outcomes of the other five Functions,” and incorporates the areas of enterprise cybersecurity strategy, policy and responsibilities, as well as cybersecurity supply chain risk management.

Both the scope expansion and the addition of the Govern function that is aimed at organizational leadership underscores the fact that cyber risks are a reality across the organizational landscape.

New Implementation Tools – NIST has included a set of resources that are designed to provide different audiences with customized, targeted paths into the CSF, to make the framework easier to put into practice and achieve their organization’s cybersecurity goals.

A new CSF 2.0 Reference Tool allows users to browse, search and filter details from the CSF’s six core functions guidance to select the most useful information for their CSF implementation. Several quick start guides are provided to help organizations implement various cybersecurity approaches, such as Enterprise Risk Management or Cybersecurity Supply Chain Risk Management (C-SCRM). There is also a guide specifically tailored to help small businesses improve their cybersecurity.

Cyber Resource Mapping – In addition to the resources above, CSF 2.0 provides a searchable Informative Reference Catalog which allows an organization to cross-reference CSF guidance to 50+ other cybersecurity guidance documents, such as NIST SP 800-53 Rev. 5 or NIST SP 800-171 Rev. 2. These SPs provide cybersecurity standards being used by programs seeking to ensure the cybersecurity of federal contractors. Additional CSF mapping resources provided under Informative References include Implementation Examples which offer potential ways an organization may achieve each CSF outcome.

Contractor Implications

The updated CSF has several implications that are relevant to all companies, including federal contractors. First, CSF 2.0 puts cybersecurity risk as a key strategic concern at the C-level of an organization, on par with other risk areas, such as financial, reputational, supply chain, etc. While many companies may already acknowledge cybersecurity as a major source of enterprise risk, some may not address it at the top levels of leadership.

For contracting companies at all levels of the federal supply chain – products and services, commodities or technology – failure to appropriately address cyber-risk in your organization will eventually mean lost opportunities. This is especially true as agencies seek to implement stricter enforcement of contractor cybersecurity practices, such as through the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) and the Department of Homeland Security’s Cybersecurity Readiness Factor programs.

The new CSF 2.0 mapping tools may help current and potential contractors to map CSF objectives to the NIST technical standards that undergird these contractor cyber-assurance programs, such as NIST’s SP 800-171 and SP 800-53. These mappings may help some companies implement the proper cybersecurity practices more efficiently and effectively, reducing both cyber- and financial risk. NIST has also recently drafted updated guidance to help organizations employ data-driven, quantitative approaches to evaluating their cybersecurity efforts that can be used in conjunction with the CSF.

Finally, the CSF small business quick start guides, and other relevant reference materials could help to alleviate some of the capacity and financial burdens that these businesses face in addressing the increasingly stringent requirements agencies are placing on companies just to compete for federal contracts.