The world’s leading cybersecurity guidance is undergoing a comprehensive update for the first time in almost ten years.
After considering feedback from the community over a year, the National Institute of Standards and Technology (NIST) has released a preliminary version of Cybersecurity Framework (CSF) 2.0. This new iteration builds upon the tool introduced in 2014, aiming to assist organizations in comprehending, minimizing, and effectively communicating cybersecurity risks. The updated draft considers changes in the cybersecurity landscape, making it more user-friendly and applicable to all types of organizations.
Cherilyn Pascoe, a lead developer of the framework at NIST, explained that this update aims to align with usage while anticipating future developments. While initially designed for infrastructure sectors like banking and energy, CSF has proven valuable across various domains, including schools, small businesses, local governments, and foreign entities. NISTs objective is to ensure that CSF remains an asset for all sectors rather than solely focusing on critical ones.
NIST welcomes feedback on this draft framework until November 4th, 2023. It is important to note that NIST does not intend to release another draft after this stage.
A workshop will be announced soon for the fall, providing another opportunity for the public to share their feedback and comments on the draft. The developers are aiming to release the version of CSF 2.0 in early 2024.
The CSF offers guidance by providing a common language and an organized approach to managing cybersecurity risks across various sectors. It facilitates communication between technical and non-technical staff members. The framework includes activities tailored to suit an organization's requirements, making it a versatile tool for incorporating into cybersecurity programs. Over the past decade, it has been downloaded more than two million times across 185 countries and translated into at least nine languages.
Although responses to the NISTs request for information in February 2022 affirmed that the CSF remains effective in mitigating cybersecurity risks, many respondents also highlighted the importance of updates to address advancements and an ever-evolving threat landscape.
"Several commenters emphasized the need to preserve and enhance aspects of the CSF, particularly its flexibility and voluntary nature," Pascoe noted.
"At the time, many individuals expressed a desire for more guidance on implementing the CSF and ensuring its effectiveness in addressing emerging cybersecurity challenges like supply chain risks and the pervasive threat of ransomware. We recognized the need to step up our efforts since these issues impact organizations, including small businesses."
The draft of CSF 2.0 incorporates significant changes;
Firstly the scope of the framework has been explicitly expanded to provide cybersecurity measures for all organizations regardless of their size or type. This expansion is reflected in its revised title as "The Cybersecurity Framework," moving away from the previously narrower "Framework for Improving Critical Infrastructure Cybersecurity."
Until now, the CSF focused on describing five functions essential for a comprehensive and successful cybersecurity program; identification, protection, detection, response, and recovery. NIST has now added a process called "govern," which addresses an organization's ability to make informed decisions internally to support its cybersecurity strategy. It emphasizes that cybersecurity is an enterprise risk that senior leadership should consider alongside legal, financial, and other threats.
The revised version of the document offers enhanced and expanded instructions for implementing the CSF concerning creating customized profiles that cater to specific scenarios. The cybersecurity community has expressed a need for assistance utilizing the CSF within economic sectors and use cases where profiles can be instrumental. Notably, the updated draft now includes examples of how each function's subcategories can be implemented, aiming to aid organizations, particularly smaller ones in effectively applying the framework.
A key objective of CSF 2.0 is to elucidate how organizations can leverage technological frameworks, standards, and guidelines provided by NIST and other sources to implement the CSF. To further support this endeavor, NIST plans to release a reference tool for CSF 2.0 in the coming weeks. This online resource will enable users to navigate through and search the human-friendly and machine-readable data of CSF Core. Moving forward, this tool will establish "Informative References" that illustrate connections between the CSF and other resources, facilitating its integration with guidance for efficient cybersecurity risk management.
Pascoe mentioned that the development team welcomes feedback and suggestions on the updated version of CSF until November 4th.
"This presents an opportunity for users to provide their input on the draft of CSF 2.0 " she stated.
"If you haven't started yet, now is the time to get involved."