The National Institute of Standards and Technology (NIST) has undertaken a comprehensive revision of its renowned Cybersecurity Framework (CSF), marking the first significant update since its inception almost a decade ago. NIST has released a draft version of the Cybersecurity Framework 2.0 (CSF 2.0), which aims to address the evolving cybersecurity landscape and enhance the applicability of the framework across various sectors.
Cherilyn Pascoe, the lead developer of the framework at NIST, emphasized that the goal of the update is to align the Cybersecurity Framework with current and future usage. The original framework, introduced in 2014, was initially designed for critical infrastructure industries such as banking and energy, but its effectiveness was observed across diverse sectors including education, small businesses, and governments. The new version seeks to ensure that it remains a valuable tool for all sectors, not solely those deemed critical.
Public feedback is being sought on the draft framework until November 4, 2023. NIST has indicated that this draft is the final one, and a workshop planned for the coming months will provide another avenue for public input. The anticipated release of the final version, CSF 2.0, is scheduled for early 2024.
The CSF serves as a high-level guide, offering a standardized language and systematic methodology to manage cybersecurity risks across sectors and facilitate communication between technical and non-technical personnel. It encompasses adaptable activities that organizations can integrate into their cybersecurity programs, tailoring them to their specific requirements. Over the past decade, the CSF has garnered over two million downloads across 185+ countries and has been translated into at least nine languages.
Responses to NIST’s 2022 request for information on the CSF highlighted its efficacy in risk reduction while suggesting the need for updates to address technological advancements and the ever-evolving threat landscape. The revised CSF 2.0 aims to meet these demands by incorporating major changes:
- Expanded Scope: The framework’s scope has expanded from safeguarding critical infrastructure to providing cybersecurity guidance to all types and sizes of organizations, irrespective of their nature. The revised title reflects this broader scope – “The Cybersecurity Framework.”
- Six Functions: In addition to the existing five functions (Identify, Protect, Detect, Respond, and Recover), the CSF 2.0 introduces a sixth function – “Govern.” This function underscores the significance of cybersecurity as a core enterprise risk and emphasizes the role of senior leadership.
- Enhanced Guidance: The draft framework offers enhanced guidance on implementing the CSF, especially in creating profiles tailored to specific situations. Implementation examples for each function’s subcategories are included to assist organizations, particularly smaller ones, in effectively utilizing the framework.
- Integration with Other Frameworks: CSF 2.0 guides organizations on leveraging various technology frameworks, standards, and guidelines, including those from NIST and other sources. To support this effort, NIST will launch a reference tool that enables users to access and export CSF Core data in human-consumable and machine-readable formats.
Cherilyn Pascoe urged stakeholders to provide feedback on the draft of CSF 2.0 by the November 4 deadline, emphasizing that this is an opportunity for users to actively participate in shaping the framework’s future effectiveness.