NIST CSF Getting a Major Revamp Soon

The US NIST is about to bring significant changes to its Cybersecurity Framework (CSF) – seen as the biggest review in the last five years.

The initial version is published in 2014 and later in the year 2018, updated to version 1.1. The CSF’s major role is to provide guidelines and best practices for managing cybersecurity risks. The CSF is designed to be flexible and adaptable rather than prescriptive and is widely used by organizations and government agencies across the globe to create cybersecurity programs and measure their maturity.

NIST has earlier published a concept paper for CSF 2.0 and opened it up to further review. The resulting feedback will be used to develop a final draft of the revised framework.

As per one of the advisors, due to changing threat landscape, there comes significant updates/upgrade to the existing one. Since the adoption of the framework is vast, adopters are looking for changes

Since the publication of CSF 1.1, NIST has been continuously directed by authorities to consider the needs of small businesses and higher education institutions, beyond its original target demographic of critical national infrastructure organizations. There are also plans to increase international collaboration, and encourage more countries to adopt the framework, either in full or in part.

Sixth Pillar to get added to the framework

A new ‘Govern’ function will get added to the existing five precepts – Identify, Protect, Detect, Respond, and Recover with the aim of positioning cybersecurity risk alongside other enterprise risks such as threats to financial stability.

This new function will include the following

• Determination of the priorities and risk tolerances of the organization, its customers, and the larger society
• Assessment of cybersecurity risks and impacts
• Establishment of cybersecurity policies and procedures
• Evaluation of cybersecurity roles and responsibilities.

This addition is largely a response to the growing use of the framework to structure discussions about cybersecurity risk between technologists and senior managers.

Scope of improvement requested

• Improve the scope of alignment of the framework with other NIST and non-NIST security programs, such as the Risk Management Framework and Workforce Framework for Cybersecurity.
• Practical guidance on applying the framework, leading to a new section focused on implementation examples. While the framework remains focused on high-level outcomes rather than specific processes

Risk management

The new framework will have a significant focus on supply chain risk management, helping and encouraging organizations to address third-party risks of all kinds, from cloud computing to computers, software, and networking equipment, along with the non-technology supply chain.

Guidance on Measurement

CSF 2.0 is also set to include more guidance on measurement and assessment, with a common taxonomy and lexicon to communicate the outcome of an organization’s measurement and assessment efforts, regardless of the underlying risk management process. The plan is to provide additional guidance about how to do access levels of security maturity – some in CSF 2.0 itself, and some in separate guidance.

Zero Trust Dilemma

NIST decided not to merge its privacy framework with the CSF after consulting with stakeholders. NIST’s view is that zero trust need not be incorporated into the framework, even though applying the architecture is a priority for the authorities’ administration.

Common Framework

NIST is proposing to keep the framework technology- and vendor-neutral, with some calling for it to address specific topics, technologies, and applications. Organizations are looking for more guidance when they are, say, leveraging the cloud or leveraging the internet of things or operational technologies.

Feedback on the proposals can be submitted to NIST at cyberframework@nist.gov until March 3, with a draft plan for Q2/Q3 2023, followed by a public review.