Among the US financial institutions we have advised, the vast majority have strategically aligned their security management programs to the NIST CSF Core, which defines cybersecurity Functions, Categories and Subcategories that organizations should have in place to secure their organizational assets. The update to this best practice framework emphasizes the importance of strong security governance and operational resilience planning across technical domains.

Since the launch of the NIST CSF in 2014, we have seen a number of key changes in the operating environment:

• Computing has moved from self-managed data centers to public and hybrid clouds, thereby increasing reliance on service providers and necessitating shared responsibility management and support models to operate and secure systems and services. 
• Software-as-a-Service (SaaS) products mean financial institutions increasingly rely on their service providers to store and process sensitive data, increasing aggregate risk for businesses using those platforms.
• The proliferation and comingling of confidential, sensitive and personal data across disparate platforms – from legacy mainframe to global blockchains to Generative AI – and the global rise of privacy and data protection laws have necessitated comprehensive protection strategies. These include zero trust, post-quantum encryption, AI-enhanced data management and protection, automated data loss prevention controls, and more.
• NIST introduced a sister framework, the NIST Privacy Framework1  (NPF) v.1.0 in 2020, which is similar in structure to the CSF. It was through the NPF that NIST introduced a Govern-P function, which is a core business necessity to comply with privacy and data protection laws and regulations. 
  
  The NPF is a framework to guide risk management and protection of personal information, whereas the NIST CSF emphasizes the protection of systems and services. Many of the NPF’s functional and categorical objectives are useful to guide governance of other sensitive data categories. Together, the NIST CSF and NPF can provide a suitable management architecture for most organizations' security and privacy programs.
• The pandemic forced companies to fast track their digital transformation initiatives. Remote workforces have become normal, which has fueled the widespread adoption of multi-factor authentication technologies and has led to technical innovations to help ease the use of MFA products. While still important, most organizations have deemphasized physical security controls over time since their systems aren't collocated with their workforces.

The New Govern Function

The addition in Discussion Draft (NIST CSF v2)   of the Govern (GV) function aligns the CSF and NPF and highlights that governance should operate as a discrete function, managed and executed by organizational leadership. 

The Govern function gathers information about the business, the industry, legal and regulatory obligations for security (and privacy) and sets strategy to manage risk. Consistent pursuit of common security objectives across business units and regions requires a cross-functional and collaborative environment outfitted with checks and balances. 

The policies and procedures for security and risk management are defined here; owners are assigned and held accountable for performing their duties. A well-defined and properly communicated security strategy should drive and inform all components that comprise the other five functions. 

Notable new categories and subcategories

A further new element is the introduction of Improvement (ID.IM) to the CSF, through which NIST prescribes reviews, reassessments, tests, audits and exercises, all with the goal of being prescriptive and actionable about continuous, iterative improvement in security posture.  

When it comes to data security, organizations cannot afford to rest on their laurels given the technological and threat landscapes are constantly evolving. In recognition of the growing interdependencies between businesses and their suppliers and third parties, NIST emphasizes the need to include service providers in resilience planning and testing to identify threats and potential improvements.

Platform Security (PR.PS) is a new category within the Protect function, which defines the foundational operations activities that must be performed routinely to maintain good security hygiene across various technology platforms. The challenge will be designing and documenting the underlying controls that vary with every technology platform provider. 

Organizations should establish minimal security standards to meet their compliance obligations (i.e. SSO, BYOK/CMK, continuous monitoring). Security Officers should work with their platform providers to apply platform-native security controls to address critical assets. CISOs will most likely need to supplement their security capabilities with fit-for-purpose solutions to address potential platform security weaknesses or vulnerabilities.

Another new addition is Technology Infrastructure Resilience (PR. IR), which establishes that an organization’s risk strategy should include the management of security architecture to ensure a consistently secure and available operating environment. NIST have broadened the language used when discussing plans, assets and environments, directing organizations to take a more sweeping approach to the protection of assets and achieving resilience. In the financial sector, FFIEC and FINRA have each published strong guidance on outsourcing and resilience to promote high availability across the financial sector.

The Respond (RS) & Recover (RC) functions made the biggest gains in NIST CSF v2. The Response Planning (RS.RP) category (v.1.1) has now been rechristened to Incident Management (RS.MA). Across the RS and RC functions, most of the planning and execution subcategories were updated to prescribe more actionable, executable and measurable security outcomes.  

More of the same – and that’s a good thing

The new revision follows the familiar format of defining each subcategory as an idealized outcome of the underlying security risk management activity. Many of the direction setting, planning, risk management and communication activities have been moved to the new Govern function. 

However, much of the NIST CSF v2  Core discussion draft presents revised versions of preexisting subcategories. These revisions add flexibility to programs already built on NIST CSF v1.1 while accounting for the current technological landscape. By all indicators, the NIST CSF v2  will remain true to its original structure as an architectural framework.

Security leaders should use the CSF to set strategic direction, aligning security strategy to drive scalable and programmatic security outcomes across various technologies and services. Each organization must tailor the framework for its use, based on its business objectives, regulatory obligations and technical capabilities. However, the CSF is not the controls gospel – it is the grounding framework for developing a commonly understood, security strategy approach.  

The inclusion of Informative References across the framework points security practitioners to complimentary security standards and frameworks, which prescribe more specific security controls. Informative References often cite NIST's own master security & privacy controls bible, NIST SPECIAL PUBLICATION 800-53: Security and Privacy Controls for Information Systems and Organizations2, which is currently in Rev. 5, and is just shy of 1,200 line items. 

As data security advisors, we frequently rely on other data protection standards (PCI DSS v.4.0, CSA CCM, CDMC) and data governance frameworks (DCAM, DAMA DMBOK) to guide our tactical implementation and operation of protective and detective measures to meet strategic security objectives.

Where do we go from here?

NIST is expected to release a final revision to NIST CSF v2  sometime later this year. Once NIST CSF v2 is official, businesses should begin the process of upleveling their programs to align to NIST’s revised expectations. 

This means security personnel should assess their business’ existing security architecture to identify where they meet the standards of NIST CSF v2  and where gaps remain. The updated framework acknowledges the complexity of modern business relationships – we all rely on, and cannot operate without, our service providers, so we must manage any associated risks down to acceptable levels.

When looking to uplevel a program, businesses will have a number of considerations.

• Controls will need to be remapped to the updated framework. In some cases, new security services or capabilities may need to be added to keep pace with the latest changes, particularly as they enable operational resilience objectives. 

• Organizations should already be rethinking their security governance strategies, placing greater emphasis on shared responsibility for security across various cloud-based environments

• CISOs should develop and communicate strategic initiatives to tailor their existing security roadmaps to close gaps and remediate identified risks.

• Document all changes and collect evidence of adequate controls implementation and execution, in preparation for future audits.  Security leaders should expect auditors and enforcement agencies will revise their tests to align to NIST CSF v2  in short order.

Will There Be a Complimentary Privacy Framework Revision?

As for future framework evolution, ideally NIST will consider a substantive revision to the Privacy Framework (NPF) to accommodate other types of sensitive data, not just personal information. We hope to see sweeping changes to the language and orientation of the NPF, up to and including a renaming of the Framework – perhaps, a NIST Data Protection Framework?  

For now, however, most of the NPF’s functional and categorical objectives can be tailored to serve as architectural guideposts for US businesses to aid in the design of their data protection programs.  

Further reading

¹NIST Privacy Framework
²NIST SPECIAL PUBLICATION 800-53: Security and Privacy Controls for Information Systems and Organizations,

Capco partners with financial services firms to design and build security and privacy solutions aligned to each firm’s unique business conditions and regulatory obligations.  Whether your organization needs tactical advice to overhaul a Third-Party Risk Management program, or a long-term strategy and technological implementation to manage data use and protection across the enterprise, Capco specializes in solving for business, data, and security imperatives across financial services domains.