NIST Cybersecurity Framework 2.0 – A Canadian Perspective

Éloïse Gratton October 18, 2023

In August 2023, the U.S. National Institute of Standards and Technology released a public draft of an updated Cybersecurity Framework with significant changes, including an emphasis on governance and supply chain risk management that align with Canadian legal requirements and regulatory guidance. The updated Framework will be an important benchmark resource for Canadian organizations of all kinds and sizes.

Background

The National Institute of Standards and Technology (NIST) is a U.S. Department of Commerce agency whose mission is to promote American innovation and industrial competitiveness. The NIST Cybersecurity Framework (the “CSF”) provides guidance for managing cybersecurity risks by helping organizations understand, assess, prioritize, and communicate about those risks and the actions that will reduce them. The first version of the CSF, designed for use by critical infrastructure operators, was published in 2014. The current version, CSF 1.1, was published in 2018. In addition, in 2016, NIST published simplified cybersecurity guidance titled Small Business Information Security: The Fundamentals based on the CSF. See BLG bulletin Cybersecurity Guidance for Small and Medium Size Enterprises.

The CSF, particularly its “Framework Core”, has been endorsed as a foundational cybersecurity resource by regulators and industry associations around the world, including in Canada. For example, the CSF Framework Core is reflected in the Investment Industry Regulatory Organization of Canada’s Cybersecurity Best Practices Guide and Cyber Security Self Assessment, the BC Financial Services Authority’s Information Security Guideline, the Mutual Fund Dealers Association of Canada’s Cybersecurity bulletin, the Ontario Energy Board’s Ontario Cyber Security Framework, and the Chartered Professional Accountants Canada’s 20 questions directors should ask about cybersecurity.

Cybersecurity Framework 2.0

In August 2023, NIST announced a public draft of an updated Cybersecurity Framework 2.0 (CSF 2.0), a Discussion Draft of Implementation Examples, and a CSF 2.0 Reference Tool. NIST is accepting public comment on draft CSF 2.0 until November 2023, and plans to publish the final version of CSF 2.0 in early 2024.

Read Bradley Freedman’s article on this topic.

This content has been updated on February 7, 2024 at 15 h 47 min.

Éloïse Gratton

Privacy & Data Protection Law

NIST Cybersecurity Framework 2.0 – A Canadian Perspective

Background

Cybersecurity Framework 2.0

Data governance and privacy risks in Canada: A checklist for boards and c-suite

An Update on New Québec Confidentiality Incidents and Record-Keeping Requirements

The inside scoop on how to become a privacy lawyer: 10 tips from the top

Preparing for the Privacy Reform in Canada

Getting Ready for Québec’s New Privacy Law in 2023 (Part 1): Using what we know so far

Getting Ready for Quebec’s New Privacy Law in 2023 (Part 2): Navigating uncertainty in the Law

Une fugitive recherchée depuis 30 ans, capturée à Berlin grâce à la reconnaissance faciale

CBC Windsor Morning Radio Show

La Cour suprême vient compliquer les cyberenquêtes

Une fugitive capturée à Berlin grâce à la reconnaissance faciale

Aide-mémoire en matière de protection de la vie privée et de sécurité des renseignements personnels

Lucky 7 data privacy and security cheat sheet