Skip to content
Longterm Wiki
Back

Ropes Data Philes: A Very Merry NISTmas - 2024 Updates

web
ropesdataphiles.com·ropesdataphiles.com/2024/12/a-very-merry-nistmas-2024-upd...

A legal/compliance-oriented overview of NIST's 2024 framework updates; relevant to AI governance practitioners tracking how federal standards bodies are integrating AI risk management with broader cybersecurity and data governance frameworks.

Metadata

Importance: 38/100blog postanalysis

Summary

This post reviews NIST's major 2024 updates, including CSF 2.0 which expands the Cybersecurity Framework from five to six functions by adding Governance, broadens applicability beyond critical infrastructure to all sectors, and introduces a new holistic data governance model. It also covers updates to the AI Risk Management Framework and offers predictions for 2025. The piece emphasizes that robust technical controls alone are insufficient without corresponding governance structures.

Key Points

  • CSF 2.0 adds a sixth function—Governance—to the original five (Identify, Protect, Detect, Respond, Recover), signaling that cybersecurity programs require executive-level oversight.
  • The framework's title changed from 'Framework for Improving Critical Infrastructure Cybersecurity' to 'The Cybersecurity Framework,' reflecting expanded applicability across all sectors.
  • NIST introduced a new holistic data governance model unifying its cybersecurity, privacy, and AI frameworks under a single structure to address data quality, security, and compliance.
  • Voluntary NIST adoption is increasingly standard in private sector contracts, regulatory inquiries, and litigation contexts.
  • NIST's AI Risk Management Framework also received 2024 updates, continuing NIST's expansion into AI governance alongside cybersecurity standards.

Cited by 1 page

PageTypeQuality
NIST and AI SafetyOrganization63.0

Cached Content Preview

HTTP 200Fetched Mar 15, 202614 KB
A Very Merry NISTmas: 2024 Updates to the Cybersecurity and AI Framework | RopesDataPhiles 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
 

 
 
 

 
 
 
 




 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

 
 

 Skip to content 
 

 

 

 
 
 
 
 

 
 
 
 

 
 
 

 

 
 
 
 
 
 
 The National Institute of Standards and Technology (NIST) has been a leading voice in cybersecurity standards since 2013, when President Obama’s Executive Order on Improving Critical Infrastructure Cybersecurity tasked NIST, which is embedded within the Department of Commerce, with developing and updating a cybersecurity framework for reducing cyber risks to critical infrastructure. The first iteration of that framework was released in 2014, and Versions 1.1 and 2.0 followed in 2018 and 2024. NIST guidance has also expanded to include a privacy framework, released in 2020, and an AI risk management framework, released in 2023. This year, NIST made updates to both its cybersecurity and AI risk management frameworks and created a holistic data governance model that aims to provide a comprehensive approach for entities to address issues like data quality, privacy, security, and compliance, leveraging the various NIST frameworks under a unified data governance structure to help framework users address broader organizational risks. A retrospective of these developments and predictions for 2025 are detailed in this post.

 

 Cybersecurity. The NIST Cybersecurity Framework (CSF) provides guidance to organizations for the management of cybersecurity risks and can help identify gaps in an organization’s cybersecurity practices by reflecting existing best practices and setting out key cybersecurity considerations for companies to consider when designing a comprehensive cybersecurity program. While the CSF is voluntary for most organization, adherence to NIST is a necessary condition for conducting some government contracts or operations within the federal system. Many more organizations, however, voluntarily choose to employ NIST as a helpful tool to understand, manage, and reduce their cybersecurity risk, and adoption of the CSF is increasingly becoming a standard practice for many companies in the private sector, as it is often cited both in engagement with and response to contractual agreements between private parties, regulatory inquiries, and private litigation.

 A decade after its first release, and building on top of an interim 2018 update (Version 1.1), this year NIST updated the CSF and changed the title from “Framework for Improving Critical Infrastructure Cybersecurity” to the much more widely applicable “The Cybersecurity Framework,” signaling increased adoption of the framework across sectors. Having expanded the framework’s design to appeal to all audiences and industries, Version 2.0 focuses on making the framework accessible across a spectrum of existing cybersecurity sophistication by adding features like implementation examples, quick-start guid

... (truncated, 14 KB total)
Resource ID: 202cf518a0dbb3a9 | Stable ID: ODQwZTgyNW