The National Institute of Standards and Technology (NIST) is asking for public feedback on the draft version of a major update to its voluntary Cybersecurity Framework, which has become something close to a de facto baseline standard for security efforts in government and the private sector since it was launched in 2014 as a guide for critical infrastructure sectors.
The draft CSF 2.0 framework, NIST said, “reflects changes in the cybersecurity landscape and makes it easier to put the CSF into practice — for all organizations.”
NIST wants public comments on the updated framework – dubbed Cybersecurity Framework (CSF) 2.0 – by Nov. 4.
The version put out for comment this week is likely the final draft of the updated document, although NIST said it will hold a workshop sometime this fall to finish gathering comments and feedback. The agency first began gathering feedback on the new framework in late 2022.
The agency expects to publish the final version of CSF 2.0 in early 2024.
What’s New
NIST said the draft CSF 2.0 framework features several major changes from its nine-year old predecessor.
One of those is positioning – the agency said that the scope of the new framework “has expanded – explicitly – from protecting critical infrastructure, such as hospitals and power plants, to providing cybersecurity for all organizations regardless of type or size.”
The new draft also adds a sixth primary function to the plan – the govern function – to the five main framework functions that were written into the framework in 2014. Those five are: identify, protect, detect, respond, and recover.
The govern function, NIST said, “covers how an organization can make and execute its own internal decisions to support its cybersecurity strategy. It emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial and other risks as considerations for senior leadership.”
Finally, NIST said the CSF 2.0 framework draft features improved and expanded guidance for implementing the framework, including the creation of profiles that can tailor the framework for different situations.
“The cybersecurity community has requested assistance in using it for specific economic sectors and use cases, where profiles can help,” the agency said. “Importantly, the draft now includes implementation examples for each function’s subcategories to help organizations, especially smaller firms, to use the framework effectively.”
NIST said it plans to release in the coming weeks a CSF 2.0 reference tool that will allow users to browse, search, and export CSF core data in human-consumable and machine-readable formats. “In the future, this tool will provide ‘Informative References’ to show the relationships between the CSF and other resources to make it easier to use the framework together with other guidance to manage cybersecurity risk,” the agency said.
“With this update, we are trying to reflect current usage of the Cybersecurity Framework, and to anticipate future usage as well,” commented NIST’s Cherilyn Pascoe, the framework’s lead developer.
“The CSF was developed for critical infrastructure like the banking and energy industries, but it has proved useful everywhere from schools and small businesses to local and foreign governments,” she said. “We want to make sure that it is a tool that’s useful to all sectors, not just those designated as critical.”
“Many commenters said that we should maintain and build on the key attributes of the CSF, including its flexible and voluntary nature,” Pascoe continued. “At the same time, a lot of them requested more guidance on implementing the CSF and making sure it could address emerging cybersecurity issues, such as supply chain risks and the widespread threat of ransomware.”
“Because these issues affect lots of organizations, including small businesses, we realized we had to up our game,” Pascoe said.
