NIST Announces Cybersecurity Framework 2.0 Is In the Works

Check out Keypoint Intelligence’s Cybersecurity page!

IT professionals and business leaders have relied on the guidance provided by the US Department of Commerce’s National Institute of Standards and Technology (NIST) for all manner of information around best practices—and perhaps no area more so than cybersecurity. In addition to publishing recommendations around IoT device security and risk management, the NIST Framework for Improving Critical Infrastructure Cybersecurity (known as the “Cybersecurity Framework” or CSF) has become essential for any organization crafting a cybersecurity program.

The model aims to communicate best practices when it comes to thwarting attacks and can be used for the implementation of an organization-wide cybersecurity strategy. It also helps ensure consistency of procedures across departments and serves as a touchstone should an attack occur, so personnel have a roadmap for a coordinated response. And now the framework is getting a refresh—the first complete makeover since its release nearly a decade ago.

For CSF 2.0, NIST gathered feedback for more than a year from cybersecurity experts in business and academia. The draft update, which NIST has released for public comment, reflects changes in the cybersecurity landscape and makes it easier to put the CSF into practice now and into the future. After the public-comment period ends, CSF 2.0 will enter a “workshop” phase during which a committee formed from industry leaders will synthesize the input and draft the final spec. The developers plan to publish the final version of CSF 2.0 in early 2024.

From what we know so far, the CSF 2.0 draft reflects several major changes, including (in NIST’s words):

• The framework’s scope has expanded explicitly from protecting critical infrastructure, such as hospitals and power plants, to providing cybersecurity for all organizations regardless of type or size.
• CSF 1.0 has described the main pillars of a successful and holistic cybersecurity program using five main functions: identify, protect, detect, respond, and recover. To these, NIST now has added a sixth (the govern function), which covers how an organization can make and execute its own internal decisions to support its cybersecurity strategy. It emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial, and other risks as considerations for senior leadership.
• The draft provides improved and expanded guidance on implementing the CSF—especially for creating profiles, which tailor the CSF for particular situations. The cybersecurity community has requested assistance in using it for specific economic sectors and use cases, where profiles can help. Importantly, the draft now includes implementation examples for each function’s subcategories to help organizations, especially smaller firms, to use the framework effectively.

So, as it stands, it appears the new framework will have at its core these tenets:

• Identify: Develop an understanding of the cybersecurity risks to systems, people, assets, data, and capabilities that exist.
• Protect: Outline appropriate safeguards to keep IT systems and company information safe without interfering with critical business functions and taking into account the organization’s risk tolerance.
• Detect: Implement products and technologies to identify cybersecurity events in real-time to ensure timely discovery and alerting of any suspected cybersecurity breaches.
• Respond: Since a fast and appropriate response will make all the difference, organizations need to have a response plan in place before an event occurs.
• Recover: Identify appropriate activities to restore any capabilities or services that were impaired due to a cybersecurity incident, then implement any required improvements to systems and processed based on lessons learned from the incident.
• Govern: Encourages stakeholders within an organization to make and execute internal decisions to support the organization’s cybersecurity strategy and recognize that cybersecurity is a major source of enterprise risk—ranking alongside legal, financial, and other risks as considerations for senior leadership.

Reportedly, more emphasis will be placed on how organizations can implement CSF 2.0. To that end NIST has also introduced a CSF 2.0 Reference Tool, an online resource that allows users to browse, search, and export the “CSF Core” data in human-consumable and machine-readable formats. In the future, this tool will provide informative references to show the relationships between the CSF and other resources to make it easier to use the framework together with other guidance to manage cybersecurity risk.

Browse through our Industry Reports Page (latest reports only). Log in to the InfoCenter to view research, reports, and studies on cybersecurity through our CompleteView Advisory Service. If you’re not a subscriber, contact us for more info by clicking here.