Updated NIST Framework Puts Focus on Cyber Supply Chain Risk Management

Table of Contents

This post was written by Bob Kolasky, Senior Vice President of Critical Infrastructure


The digital horizon is ever-changing — and with NIST’s release of the Cybersecurity Framework 2.0 (CSF 2.0) — businesses and other organizations have a new compass to steer by. This is a step forward toward updating the core recommended approach by the U.S. government — and recognized by allied governments — for implementing a cybersecurity program to guide organizational cyber risk management efforts.


Following the original Cybersecurity Framework published in 2013, NIST has updated its recommendations for cybersecurity for all organizations, and taken a framework that is widely used by critical infrastructure entities and expanded it to a broader user community.


NIST released the initial CSF, following an Obama-era executive order, to help organizations understand, reduce and communicate about cybersecurity risk. The framework’s core is now organized around six key functions: Identify, Protect, Detect, Respond and Recover, along with CSF 2.0’s newly added Govern function. When considered together, these functions provide a comprehensive view for managing cybersecurity risk.


Here’s how CSF 2.0 can help businesses, especially in safeguarding their supply chains:


Governance at the forefront: The addition of a ‘Govern’ function is a game-changer. It will propel organizations to embed cybersecurity into their corporate governance structures, ensuring that cyber risks are part of every strategic decision.


Tailored implementation: The tiered approach of CSF 2.0 allows businesses to adopt cybersecurity practices that align with their specific needs and risk profiles, enhancing their resilience without imposing a one-size-fits-all model.


Supply chain security: With the emphasis on third-party cyber risks, businesses can now formulate a more comprehensive strategy that accounts for the entire supply chain, thereby minimizing vulnerabilities at every link.


Adaptive framework: The CSF 2.0 is designed to be adaptive, encouraging organizations to remain agile and responsive to new threats. It’s not a static shield but a versatile weapon in the cybersecurity arsenal.


Policy alignment: The framework is poised to align with CISA’s Cybersecurity Performance Goals, ensuring consistency and clarity in cyber defense strategies across the board.

“A critical element of Governance is designing an approach to cyber supply chain risk management as part of cyber security, as third-party cyber risk needs to be accounted for. I am glad that the CSF emphasizes this.”

Communication, a cornerstone of supply chain risk management, is where CSF 2.0 marks a milestone. CSF 2.0’s broadened scope and updated guidance are major strides in engaging a diverse audience in this critical conversation. It’s a cornerstone for building a robust defense against the cyber supply chain threats that loom over our interconnected world.


“CSF 2.0, which builds on previous versions, is not just about one document,” said Laurie E. Locascio, Under Secretary of Commerce for Standards and Technology and NIST Director. “It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve.”


At Exiger, we’re committed to helping businesses interpret and implement CSF 2.0, particularly in the context of the cyber supply chain risk management (C-SCRM). The journey to cyber resilience is continuous, and with CSF 2.0, organizations now have a refreshed compass to approach the requirement with greater confidence and capability.


Contact us to learn more how Exiger can boost cyber supply chain risk management for your organization.

Table of Contents


Demo The
Exiger Platform