A Review of NIST’s Draft Cybersecurity Framework 2.0

Like the original CSF, CSF 2.0 is a voluntary framework that offers high-level guidance for managing cyber risk and leaves to individual organizations the hard work of cobbling together an effective cybersecurity program from the alphabet soup of often-complex frameworks, standards, and guidelines referenced in the updated framework’s expanded “implementation guidance.” (These include NIST SP 800-53SP 800-218, and SP 800-161r1, to name just a few.) Unfortunately, the framework’s high-level guidance is too general to be implemented, and its “implementation guidance” is too technical to be of practical use to most organizations absent expert help. (In this regard, it is worth noting that although the CSF originally was designed for critical infrastructure, as a practical matter it has been widely adopted, and CSF 2.0 is explicitly designed to be used by organizations of all sizes and sectors.)

CSF 2.0 is thus unlikely to solve the pressing cybersecurity problems facing U.S. schools, hospitals, and the many other “target rich, resource poor” organizations that find themselves on the front lines of the cyber fight.

NIST’s CSF 2.0 draft leaves these organizations largely responsible for their own cybersecurity, even in the face of significant cyber threats from the nation’s most capable cyber adversaries (that is, China, Russia, North Korea, Iran, and organized crime syndicates). Last year, for example, educational institutions suffered nearly $9.45 billion in downtime alone due to ransomware, yet few such institutions have the requisite knowledge, resources, and budget to use the NIST framework to develop a cybersecurity program capable of staving off sophisticated ransomware syndicates. The administration’s newly launched effort to shore up the cybersecurity of K-12 schools implicitly recognizes this reality. While it nods to the NIST framework, it seeks, among other things, to leverage expertise and investment from Amazon Web Services, Google, Cloudflare, and other large educational technology providers and vendors to protect schools. Generating effective cyber resilience in the face of proliferating cyber threats will require more such concerted efforts to leverage expertise and investment for the benefit of vulnerable organizations.

Teplinsky concludes:

To be sure, NIST’s CSF 2.0 draft represents an improvement over the current NIST cybersecurity framework, but it is unlikely to fundamentally improve the United States’ cybersecurity posture. Like the CSF, CSF 2.0 is voluntary for the private sector, technology and vendor neutral, and offers high-level guidance for managing cyber risk. But much more is necessary to generate effective cybersecurity against the nation’s most capable adversaries. Advanced technologies, expertise, and investment must be properly leveraged to secure our digital future.

For example, NIST’s draft makes no mention of AI, save for a passing reference to NIST’s AI Risk Management Framework, yet the nation’s adversaries already are exploiting machine learning (e.g., to automatically generate new malware variants capable of evading defenses) and exploring ways to use generative AI to further their purposes. Meeting the cyber threat will require, among other things, an exploration of the role of AI in cybersecurity including via “human-machine collaboration,” which has the potential to support cyber resilience at scale in the face of sophisticated adversaries by automating security functions, accelerating decision-making, and supporting advanced security functions such as threat hunting.

CSF has long served as a starting point for a broad spectrum of organizations looking to begin, or continue, their journey of implementing a risk-based approach to cybersecurity, but if the overall cybersecurity posture of these organizations is any indication, we can, and must, do better.