The leading cybersecurity guidance NIST is getting its first complete makeover since its release nearly a decade ago.
More than a year’s of observing the community feedback and consideration, NIST has released a draft version of the Cybersecurity Framework (CSF) 2.0, a new version of a tool it first released in 2014 to help organizations understand, reduce and communicate about cybersecurity risk.
The draft update, which NIST has released for public comment, reflects changes in the cybersecurity landscape and makes it easier to put the CSF into practice for all organizations.
NIST is accepting public comments on the draft framework until Nov. 4, 2023, on the final draft.A workshop planned for the fall will be announced shortly and will serve as another opportunity for the public to provide feedback and comments on the draft. The developers plan to publish the final version of CSF 2.0 in early 2024.
The CSF provides high-level guidance, including a common language and a systematic methodology for managing cybersecurity risk across sectors and aiding communication between technical and nontechnical staff. It includes activities that can be incorporated into cybersecurity programs and tailored to meet an organization’s particular needs. In the decade since it was first published, the CSF has been downloaded more than two million times by users across more than 185 countries and has been translated into at least nine languages.
While responses to NIST’s February 2022 request for information about the CSF indicated that the framework remains an effective tool for reducing cybersecurity risk, many respondents also suggested that an update could help users adjust to technological innovation as well as a rapidly evolving threat landscape.
The CSF 2.0 draft reflects a number of major changes, including:
- The framework’s scope has expanded explicitly from protecting critical infrastructure, such as hospitals and power plants, to providing cybersecurity for all organizations regardless of type or size. This difference is reflected in the CSF’s official title, which has changed to “The Cybersecurity Framework,” its colloquial name, from the more limiting “Framework for Improving Critical Infrastructure Cybersecurity.”
- Until now, the CSF has described the main pillars of a successful and holistic cybersecurity program using five main functions: identify, protect, detect, respond and recover. To these, NIST now has added a sixth, the govern function, which covers how an organization can make and execute its own internal decisions to support its cybersecurity strategy. It emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial and other risks as considerations for senior leadership.
- The draft provides improved and expanded guidance on implementing the CSF, especially for creating profiles, which tailor the CSF for particular situations. The cybersecurity community has requested assistance in using it for specific economic sectors and use cases where profiles can help. Importantly, the draft now includes implementation examples for each function’s subcategories to help organizations, especially smaller firms, to use the framework effectively.
The goal of CSF 2.0 is to explain how organizations can leverage other technology frameworks, standards, and guidelines from NIST and elsewhere to implement the CSF. Bolstering this last effort will be the launch of a CSF 2.0 reference tool, which NIST plans to release in a few weeks.
This online resource will allow users to browse, search and export the CSF Core data in human-consumable and machine-readable formats. In the future, this tool will provide “Informative References” to show the relationships between the CSF and other resources to make it easier to use the framework together with other guidance to manage cybersecurity risk.