The National Institute of Standards and Technology (NIST) has recently released the public draft of Cybersecurity Framework (CSF) 2.0, open for comments until November 4, 2023. This version follows the previously published CSF 1.1 from 2018.
CSF 2.0 introduces two significant updates that warrant attention. Firstly, the inclusion of the GOVERN function alongside associated categories and subcategories. Secondly, the refinement, reorganization, classification adjustments, and other enhancements have been made to streamline the framework.
In this analysis, our focus will be on the newly introduced GOVERN function, as it stands out as the pivotal change within the framework.
Considering the historical context, CSF version 1.1 provided a comprehensive breakdown of the following functions:
Cybersecurity Framework Version 1.1
Initially, the assumption was that this process could be implemented and autonomously managed as vaguely described in section 2.4 of SCF 1.1 - Coordination of Framework Implementation. While the concepts and functions outlined in CSF 1.1 hold immense value, adopting these best practices undoubtedly enhances the security of the system. However, it has become evident that relying on a “spontaneous” and self-organizing approach is insufficient. Hence, the necessity for a central coordinating function arises to effectively oversee the entire process.
Focus on the New GOVERN Function
This analysis primarily delves into the novel GOVERN function due to its pivotal role in the updated CSF 2.0. The evolution from CSF 1.1's functions – IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER – has led to the emergence of GOVERN as a central coordinating entity. It orchestrates the entire cybersecurity process by providing oversight and direction.
Cybersecurity Framework Version 2.0
The functions and definitions in CSF 2.0 are as follows:
The GOVERN function is strategically designed to encompass various aspects of organizational context and risk management. This includes:
Categorized Elements within GOVERN
The categories under the GOVERN function are structured as follows:
Interplay with CSF 1.1 Functions
It is essential to emphasize that the creation of the GOVERN function does not negate the preexistence and relevance of functions from CSF 1.1. This highlights GOVERN's role as a linchpin that interconnects all functions. In numerous instances, complete categories and subcategories have been transferred from other functions, with a notable emphasis on the IDENTIFY function as the source.
An illustrative example can be found in the document's Appendix C, Table 5, where the GOVERN subcategory is highlighted:
Broadly speaking, a significant number of subcategories within the new GOVERN function were inherited from CSF 1.1's IDENTIFY function, although exceptions exist. However, the crux of the matter is not solely in enumerating these interrelated subcategories. Instead, it lies in the acknowledgment of GOVERN as a distinct and crucial entity, deserving of its independent recognition. Notably, GOVERN holds an intrinsic connection to all pre-existing functions within the framework.
Definition of GOVERN
GOVERN (GV) – Establish and monitor the organization’s cybersecurity risk management strategy, expectations, and policy. The GOVERN Function is cross-cutting and provides outcomes to inform how an organization will achieve and prioritize the outcomes of the other five Functions in the context of its mission and stakeholder expectations. Governance activities are critical for incorporating cybersecurity into an organization’s broader enterprise risk management strategy. GOVERN directs an understanding of organizational context; the establishment of cybersecurity strategy and cybersecurity supply chain risk management; roles, responsibilities, and authorities; policies, processes, and procedures; and the oversight of cybersecurity strategy.
Relationship with Other Functions
The GOVERN function collaborates closely with other functions, particularly IDENTIFY. Understanding organizational context and associated risks facilitates a targeted approach aligned with the organization's risk management strategy.
… and the related cybersecurity risks enable an organization to focus and prioritize its efforts in a manner consistent with its risk management strategy and the mission needs identified under GOVERN.
Moreover, the remaining functions also maintain a symbiotic relationship with GOVERN, exemplified by:
Investments in planning and testing in the GOVERN and IDENTIFY Functions will support timely incident response and recovery actions for cybersecurity incidents in the RESPOND and RECOVER Functions. GOVERN is in the center of the wheel because it informs how an organization will implement the other five Functions.
Implementation and Importance
Implementing GOVERN is not a one-size-fits-all process; each organization should tailor its approach based on available information, profile and risk appetite. Top management's involvement in this step significantly influences the framework's subsequent implementation and execution, both internally and across the supply chain.
Automation and Synergies
To facilitate this process, automation tools like Enterprise Risk Management (ERM) play a crucial role. Furthermore, harmonizing with other relevant standards, such as ISO/SAE 21434:2021 Cybersecurity Engineering, specifically the Threat Analysis and Risk Assessment (TARA) part, enhances the effectiveness of the process.
Conclusions and Key Takeaways
To delve further into enhancing your automotive cybersecurity stance, streamlining processes through automation, optimization, and refining practices like cybersecurity TARA, we invite you to explore our toolset. Witness a live demonstration of these solutions by reaching out to us at info@systemweaver.com.
About the Author
Gilad Bandel is the VP of Cybersecurity at SystemWeaver (https://www.systemweaver.com/), leading efforts in delivering innovative automotive cybersecurity solutions. With over three decades of experience in the automotive, cybersecurity, and networking sectors, Gilad is a respected figure known for his expertise in go-to-market strategies, especially in the fields of cybersecurity solutions for automotive, IoT, critical infrastructure, and homeland security.
Reference: National Institute of Standards and Technology (2023) The NIST Cybersecurity Framework 2.0. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Cybersecurity White Paper (CSWP) NIST CSWP 29 ipd.