The National Institute of Standards and Technology (NIST) today unveiled its Cybersecurity Framework (CSF) 2.0 along with a suite of cyber resources, providing the first major update to the voluntary framework in over a decade.
NIST’s CSF was first launched in 2014 as a guide for critical infrastructure organizations, but NIST has expanded its scope in CSF 2.0 to include all organizations – regardless of type or size. The update comes after a multi-year process of gathering feedback and public comments on the new framework.
“The CSF has been a vital tool for many organizations, helping them anticipate and deal with cybersecurity threats,” Under Secretary of Commerce for Standards and Technology and NIST Director Laurie Locascio said in a Feb. 26 press release. “CSF 2.0, which builds on previous versions, is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve.”
The CSF 2.0 – which supports implementation of the Federal government’s National Cybersecurity Strategy – is organized by six functions: govern, identify, protect, detect, respond, and recover. The govern function is a new addition, placing an emphasis on the organizational context of cybersecurity.
The new framework contains helpful resources such as: CSF Core, a set of cybersecurity outcomes that can help any organization manage its cybersecurity risks; CSF Organizational Profiles, a mechanism for describing an organization’s current or target cybersecurity posture; and CSF Tiers, an approach that can help determine the rigor of an organization’s cyber risk management practices.
These resources recognize that organizations will come to the CSF 2.0 “with varying needs and degrees of experience implementing cybersecurity tools,” NIST said.
“Developed by working closely with stakeholders and reflecting the most recent cybersecurity challenges and management practices, this update aims to make the framework even more relevant to a wider swath of users in the United States and abroad,” according to Kevin Stine, chief of NIST’s Applied Cybersecurity Division.
The CSF 2.0 also offers quick-start guides designed for specific types of users – such as small businesses or enterprise risk managers. Additionally, the new CSF 2.0 Reference Tool helps organizations to more easily implement the CSF, “allowing users to browse, search and export data and details from the CSF’s core guidance in human-consumable and machine-readable formats,” NIST said.
In addition, the CSF 2.0 offers a searchable catalog of informative references, as well as the Cybersecurity and Privacy Reference Tool (CPRT) with additional NIST guidance documents.
“Now that the big release day is finally here, we hope organizations (and those who guide or carry out cybersecurity strategies) will find the CSF 2.0 suite of documents and tools to be difference makers in managing and reducing cybersecurity risks,” Stine said in a Feb. 26 blog post on the CSF 2.0.
Stine said that NIST plans to continue to enhance its cybersecurity resources, and it welcomes any feedback on the CSF 2.0.
“As users customize the CSF, we hope they will share their examples and successes, because that will allow us to amplify their experiences and help others,” he said. “That will help organizations, sectors, and even entire nations better understand and manage their cybersecurity risk.”
“Remember, cybersecurity risk management is always a journey – and the CSF 2.0 is a navigational guide that can help make that journey more successful,” he concluded.
