Cybersecurity Framework 2.0: Spotlight on Governance

The National Institute of Standards (NIST) provides a welcome update to its Cybersecurity Framework.

NIST Cybersecurity Framework 2.0

NIST has announced a long-awaited update to its Cybersecurity Framework (CSF 2.0) that could help organizations deploy cybersecurity initiatives more effectively. For managed services providers (MSPs), the new update could also help broaden the appeal of following the CSF recommendations for clients.

Although the CSF provides guidelines and best practices for improving cybersecurity for any company, the original target was critical infrastructure providers. The framework served as voluntary guidance for these organizations to better manage and reduce their cybersecurity risk and foster better security communication.

For MSPs and their clients, the most important updates to CSF 2.0 cover the intended audience of the guidance, the addition of governance to the core functions covered by the document, and guidance related to privacy and emerging technologies like artificial intelligence (AI).

Expanding CSF to a Broader Audience

In 2013, CSF was primarily concerned with helping improve cybersecurity for critical infrastructure, which was seen as particularly vulnerable. The best practices in the document were broadly applicable. Still, the general tone of the document did not make it easy for companies outside of those markets to apply the concepts to their security efforts.

The guidance has been revised and has a more general approach. NIST has included various resources to help different types of companies define and create cybersecurity plans. Some examples are references, pre-formatted organizational and community profiles, and quick-start guides, including resources for small businesses. The new version has also been aligned with President Biden’s National Cybersecurity Strategy.

Addressing Privacy Concerns and AI Risks

CSF 2.0 can be used with two other new frameworks from NIST: the NIST Privacy Framework and the NIST Artificial Intelligence Risk Management Framework (AI RMF). Together, these frameworks will help organizations improve privacy in the context of cybersecurity while also addressing emerging risks from AI and other new technologies.

A New CSF Function: Governance

The most important CSF update may be the addition of governance to the core functions identified in the guidance. The original CSF included five core functions:

  1. Identify (understanding risk across the organization)
  2. Protect (safeguards for delivery of critical services)
  3. Detect (identifying cybersecurity incident occurrences)
  4. Respond (taking action once an incident is detected)
  5. Recover (planning for restoration of services affected by an attack)

The new sixth function, Govern, addresses organizational structures, communication, and information sharing. The other five functions have also been restructured, with several categories moved to the governance function.

The Govern function covers how an organization can make and execute internal decisions around cybersecurity in the same way senior leadership assesses legal, financial, and other risks. This gives companies a roadmap for creating a comprehensive cybersecurity governance program to mitigate risks and improve responsiveness. This is critical for improving cybersecurity posture.

For MSPs, the CSF guidance provides a framework for helping clients better organize their cybersecurity activities, including:

  • Preparing their cybersecurity plans based on regulatory requirements, engaging management, and investing in cyber insurance
  • Assessing risks
  • Leveraging processes, policies, and technology to protect data and systems and engaging in cybersecurity awareness training
  • Deploying detection technologies, including a 24/7 security operations center (SOC)
  • Creating incident response plans
  • Developing recovery plans that leverage backup/recovery technology, defining communication protocols, and post-incident analysis.

Overall, the updated CSF makes it more straightforward for organizations large and small to apply these best practices to their cybersecurity strategies. By including governance as a core function, CSF 2.0 provides a roadmap for creating a comprehensive program that mitigates risks, improves responsiveness, and ultimately strengthens an organization’s cybersecurity posture.


Siroui Mushegian, CIO, Barracuda

Siroui Mushegian is Chief Information Officer (CIO) at Barracuda. Siroui joined Barracuda from BlackLine, where she was responsible for all aspects of BlackLine’s internal corporate IT. Before BlackLine, she held executive IT leadership roles at PBS’s WNET New York Public Media, the NBA, Ralph Lauren, and Time, Inc. Bringing more than 20 years of executive and IT leadership experience, Siroui has successfully built strong operational environments that eliminate technology silos, elevated the maturity and impact of technology within her enterprises and delivered measurable and scalable business outcomes.