Then and Now: What Changed with in the NIST Cybersecurity Framework in 2024

A Shared Language:  Risk Communication Across the Business

The US National Institute of Standards and Technology’s (NIST) cybersecurity and privacy frameworks help businesses identify, understand, manage, and reduce their cybersecurity and privacy risk. 

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data. The Framework is voluntary. It was originally introduced in 2014 and updated in 2018 and 2024. 

What is the NIST Privacy Framework?

The NIST Privacy Framework is a voluntary tool intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy. It was originally introduced in Jan 2020.

Privacy and Cybersecurity Have a Shared Goal – Protecting Personal Data

The NIST Cybersecurity Framework (CSF) 2.0 and the NIST Privacy Framework provide a high level guidance and a common language to speak about business risk — the necessary foundation for security practitioners, privacy practitioners, and business leaders to understand, address, and communicate business risk. 

These two frameworks share the common goal of protecting personal data and relate on privacy breach risks. This has not changed.

Then and Now:  What Changed with NIST CSF in 2024

What has changed is that NIST’s CSF 2.0 contains new features that highlight the importance of governance and supply chains. 

Previous versions of NIST’s CSF had five main pillars of a successful and holistic cybersecurity program which included:  identify, protect, detect, respond and recover. In the 2024 CSF Version 2.0 update, govern was added as a sixth pillar. The govern pillar covers how an organization can make and execute its own internal decisions to support its cybersecurity strategy. It emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial and other risks as considerations for senior leadership. 

The new Govern Function supports organizational risk communication across the business and with executives. This supports dialogue and agreement about risk management strategies (including cybersecurity supply chain risk); roles, responsibilities, and authorities; policies; and oversight. As executives establish cybersecurity priorities and objectives based on those needs, they communicate expectations about risk appetite, accountability, and resources.

Supply chain risk management has been expanded in the most recent update. The NIST CSF 2.0 framework states given “the complex and interconnected relationships in this ecosystem, supply chain risk management (SCRM) is critical for organizations. Cybersecurity SCRM (C-SCRM) is a systematic process for managing exposure to cybersecurity risk throughout supply chains and developing appropriate response strategies, policies, processes, and procedures. The subcategories within the CSF C-SCRM Category [GV.SC] provide a connection between outcomes that focus purely on cybersecurity and those that focus on C-SCRM.”

NIST Privacy Framework Functions and Categories at a Glance

The NIST Privacy Framework has five pillars or functions:  identify, govern, control, communicate and protect. 

A Shared Language:  Risk Communication Across the Business

Brandon Greenwood, CISO of Bed Bath & Beyond and Jonathan Agha, CISO of FanDuel highlighted the importance of having a common language when explaining security and privacy risk across the business during their presentation, “Let’s Get Technical:  Talking Privacy with Your CISO” at the DataGrail Summit in September 2023.

“I want to make sure the lexicon, the vocabulary, the terminology we’re using is consistent between us because we need to get to that end state as quick as possible.” There’s nothing worse than having a disagreement without knowing you’re having a disagreement. That creates a lot of problems.” – Brandon Greenwood, CISO of Bed Bath & Beyond

On the importance of a shared language, Jonthan Agha, CISO of FanDuel said that privacy “is a team sport, so make sure you’re all on the same playbook.”

NIST’s Cybersecurity Framework “provides high-level guidance, including a common language and a systematic methodology for managing cybersecurity risk across sectors and aiding communication between technical and nontechnical staff. It includes activities that can be incorporated into cybersecurity programs and tailored to meet an organization’s particular needs,”explained NIST in their August 2023 news update.

Key Takeaways

Companies can use NIST’s cybersecurity and privacy frameworks to help identify, understand, manage, communicate about, and reduce their cybersecurity and privacy risk. 

If you want to learn more about how to manage data privacy risk, DataGrail partners with brands on their data privacy journey to minimize risk, stay a step ahead of consumer and employee expectations, and save increasingly scarce resources.

Further Learning Resources

• NIST Cybersecurity Framework 2.0
• NIST Privacy Framework
• NIST AI RIsk Management Framework
• “Let’s Get Technical:  Talking Privacy with Your CISO” presentation at the DataGrail Summit by Brandon Greenwood, CISO of Bed Bath & Beyond and Jonathan Agha, CISO of FanDuel