Major Update to NIST’s Widely Used Cybersecurity Framework

“Many commenters said that we should maintain and build on the key attributes of the CSF, including its flexible and voluntary nature,” Pascoe said. “At the same time, a lot of them requested more guidance on implementing the CSF and making sure it could address emerging cybersecurity issues, such as supply chain risks and the widespread threat of ransomware. Because these issues affect lots of organizations, including small businesses, we realized we had to up our game.”

The CSF 2.0 draft reflects a number of major changes, including: 

·  The framework’s scope has expanded — explicitly — from protecting critical infrastructure, such as hospitals and power plants, to providing cybersecurity for all organizations regardless of type or size. This difference is reflected in the CSF’s official title, which has changed to “The Cybersecurity Framework,” its colloquial name, from the more limiting “Framework for Improving Critical Infrastructure Cybersecurity.” 

·  Until now, the CSF has described the main pillars of a successful and holistic cybersecurity program using five main functions: identify, protect, detect, respond and recover. To these, NIST now has added a sixth, the govern function, which covers how an organization can make and execute its own internal decisions to support its cybersecurity strategy. It emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial and other risks as considerations for senior leadership. 

·  The draft provides improved and expanded guidance on implementing the CSF, especially for creating profiles, which tailor the CSF for particular situations. The cybersecurity community has requested assistance in using it for specific economic sectors and use cases, where profiles can help. Importantly, the draft now includes implementation examples for each function’s subcategories to help organizations, especially smaller firms, to use the framework effectively.

A major goal of CSF 2.0 is to explain how organizations can leverage other technology frameworks, standards and guidelines, from NIST and elsewhere, to implement the CSF. Bolstering this last effort will be the launch of a CSF 2.0 reference tool, which NIST plans to release in a few weeks. This online resource will allow users to browse, search and export the CSF Core data in human-consumable and machine-readable formats. In the future, this tool will provide “Informative References” to show the relationships between the CSF and other resources to make it easier to use the framework together with other guidance to manage cybersecurity risk.

Pascoe said the development team is encouraging anyone with recommendations about the updated CSF to respond with comments by the Nov. 4 deadline. 

“This is an opportunity for users to weigh in on the draft of CSF 2.0,” she said. “Now is the time to get involved if you’re not already.”