Update Applicable to:
Businesses that are (or may be) contractually subject to the existing Framework (if your company plans on doing business with the government as a contractor, partner, or vendor, you will likely need to comply with NIST CSF.)
On August 8, 2023, the National Institute of Standards and Technology (NIST) released the initial public draft of its Cybersecurity Framework 2.0 and draft implementation examples for public comment.
What are the details?
As articulated by the U.S. Federal Trade Commission (FTC), “The NIST Cybersecurity Framework helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data. The Framework is voluntary (for private sector employers). It gives your business an outline of best practices to help you decide where to focus your time and money for cybersecurity protection.”
This significant update to the framework addresses evolving cybersecurity challenges and aims to provide organizations with enhanced guidance to improve their cybersecurity posture.
The release of the draft allows for public input and feedback, ensuring that a wide range of stakeholders can contribute to its development. Cybersecurity experts and organizations are encouraged to review the draft to understand the proposed changes and provide valuable insights.
NIST discovered that the concepts in this original Framework transcended critical infrastructure—creating a foundation for security practices across a multitude of other business sectors. The Cybersecurity Framework 2.0 works to capture this broad applicability, ultimately updating the use case and restructuring the scope of the original Framework.
Notable changes in Cybersecurity Framework 2.0 may include updates to cybersecurity practices, risk management approaches, and guidance on addressing emerging threats. As cybersecurity remains a critical concern in today’s digital landscape, the NIST Cybersecurity Framework continues to serve as a valuable resource for organizations looking to strengthen their cybersecurity defenses.
For more information, please see the links below:
What do employers need to do?
Businesses, especially those currently or potentially bound by the current Framework, should initiate a gap analysis of their security programs. This evaluation will help determine any necessary adjustments to align with Framework 2.0 compliance. Additionally, conducting this analysis can provide valuable insights for crafting comments to be submitted to NIST. Additional information regarding the NIST Framework 2.0 may be found here: NIST Drafts Major Update to Its Widely Used Cybersecurity Framework.
Schedule a Call
Learn more about VensureHR and how we can make an impact on your business.Contact VensureHR
This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.