Just shy of 10 years after the release of the NIST Cybersecurity Framework, the agency issued a discussion draft for the updated version: the NIST CSF 2.0. And it couldn’t have come at a better time: cyber risk is soaring, and it’s Internal Audit Awareness Month!

Celebrate Internal Audit Awareness Month with NIST CSF 2.0!

It’s Internal Audit Awareness Month, and that means showcasing and celebrating those within this often-thankless role.

I began my career as an Internal Auditor and vividly recall feeling overwhelmed by the vast amount of security and privacy information out there. This challenge has only amplified for auditors over the past years with a sharp increase in regulatory requirements and penalties for non-compliance or breaches.

How is one supposed to keep up?

See also

[Demo] Sign up for a free live demo of the RiskOptics ROAR Platform

Cyber Risk Management Frameworks

Risk, privacy and cybersecurity frameworks offer an excellent baseline for knowledge and detailed methods for reducing risk and securing an organization. But as an auditor, I always wondered, who writes these things?

I envisioned a bunch of cyber geniuses sitting around a conference table thinking “What if we had 16-character instead of 12-character passwords? Write that down! That’s good!

As it turns out, that is not the case!

Most new or updated frameworks go through multiple stages of development. Let’s take the NIST Cybersecurity Framework as an example. The original development began in early 2013 via U.S. Executive Order 13636, which introduced the concepts of cybersecurity threat intelligence sharing and a generally accepted set of security mechanisms. Through Request for Information and Request for Comment processes, as well as several workshops held around the country, NIST released a discussion draft of the preliminary framework in August 2013.

The final version, published in February 2014, is highly utilized throughout the United States as the gold standard for cyber risk management.

And now, NIST has released the discussion draft for the Cybersecurity Framework 2.0 (NIST CSF 2.0). The auditor in me is curious — and nervous — about what changes lie within!

NIST CSF 2.0: An Updated Framework for Modern Challenges

One of the criticisms I’ve heard over the years regarding compliance frameworks is that they are “stuck in the past.” Many feel that mechanisms and processes developed decades before can’t support the challenges of modern-day organizations. To some extent, this may be true.

My colleague recently wrote about the newest security practices for AI risk – something seemingly unheard of 10 years ago. However, the foundation of these frameworks remains unchanged: protecting what’s most important to you. And the NIST CSF 2.0 is no different.

NIST CSF 2.0 Updates categories

4 NIST CSF 2.0 Updates for Better Cyber Risk Management

#1. New Govern Function

In this latest update, NIST adds a new Govern function designed to emphasize just that: how well are we protecting what’s most important to our organization? This function highlights the importance of risk management in the context of your business and strengthens cybersecurity outcomes related to policies, procedures, roles and responsibilities.

#2. Cyber Risk Management Updates

NIST also updated guidance on supply chain risk, continuous improvement and incident response management – all focused on what auditors care about most: are we doing enough to reduce the impact or likelihood of harm?

#3. Implementation Examples

In addition to the Core updates noted above, the discussion draft proposes adding Implementation Examples for each outcome.

Although not an exhaustive list, these examples offer tried and tested options for cybersecurity mitigation. In a world where threats and vulnerabilities change by the second, auditors may struggle to keep up with the latest and greatest security measures. These examples combine input from countless cybersecurity and risk management professionals and provide templates for implementing security mechanisms.

NIST provides a transparent and collaborative experience for everyone in cyber to aid in improving the framework. Collaborating with peers and implementing generally accepted examples strengthens our ability to protect and assess our organizations.

#4. Leadership Responsibility

My favorite change is the addition of GV.RR-01: “Organizational leadership takes responsibility for decisions associated with cybersecurity risks and establishes a culture that is risk-aware, behaves in an ethical manner, and promotes continuous improvement“.

When organizations see and understand the impact of risk in the context of their business, they are able to make informed, risk-based decisions. It moves auditors from being “nay-sayers” to proactive business accelerators.

Prepare for NIST CSF 2.0 Now

So, this Internal Audit Awareness month, why not take the time to review the discussion draft with your leadership? Taking the time now to understand the impact of these NIST CSF 2.0 updates gives you time to get ready for them.

Another way to prepare? The ZenGRC. Because you can gain a unified, real-time view of risk and compliance — framed around your business priorities — so you can easily and clearly communicate strategic decisions across the organization.

Discover the power of ZenGRC! Schedule your FREE demo today.


Feedback on the discussion draft may be submitted to [email protected] at any time. Feedback will inform the complete NIST CSF 2.0 draft anticipated to be released for public comment this summer.