The NIST Cybersecurity Framework (CSF) has been adopted by organizations across sectors and geographies since it was first published in 2014. Initially intended as a cybersecurity framework for critical infrastructure organizations in the United States, the CSF has proven to be an invaluable resource for a wide variety of organizations (far beyond critical infrastructure) attempting to design, develop and implement a structured cybersecurity program. It has provided an effective and repeatable process that can be easily adopted by organizations at any level of cybersecurity maturity, and a common language for cybersecurity practitioners to talk about the cyber risk management process.
The CSF got its first update in 2018, (CSF 1.1), and is now undergoing another revision. NIST is set to release the latest version of the CSF – version 2.0 – in 2024.
NIST’s definition of the Cybersecurity Framework (CSF)
“The Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.”
NIST Cybersecurity Framework 2.0
In February 2022, NIST released a Request for Information (RFI) inviting comments to evaluate and improve the Cybersecurity Framework. The Framework needed to be updated based on the changing threat landscape, evolving technologies and new resources made available since 2018. Informed by the responses received from the security community, a concept paper was published in January 2023, followed by a discussion draft in April. On August 8, 2023, NIST released a public draft of the NIST CSF 2.0 that reflects the feedback on the earlier drafts.
NIST has invited further comment on this draft, to be submitted to cyberframework@nist.gov by November 4, 2023. Any changes made to the draft after this will be incorporated and published as the final CSF 2.0 in early 2024.
What’s new in NIST CSF 2.0?
The August 2023 draft of NIST CSF 2.0 addresses and incorporates the feedback received from the community in response to the initial drafts. Many of the suggestions and comments received had common underlying themes such as the need for a widening of scope, aligning cyber risk with overall enterprise risk, clear evaluation metrics and parameters, supply chain risk management processes, and more.
Change in the Official Title
The Framework is already commonly referred to as the Cybersecurity Framework or CSF. In version 2.0, NIST will officially change the title from the original “Framework for Improving Critical Infrastructure Cybersecurity” to “Cybersecurity Framework.”
Change in the Scope
The Framework was initially created with US critical infrastructure organizations as the intended audience. However, given the widespread adoption of the CSF across sectors and internationally (it has been translated to 9 languages), version 2.0 will widen its scope, with changes in verbiage to reflect this.
In the Audience section of the CSF draft released in August, NIST says, “The Framework is designed to be used by organizations of all sizes and sectors, including industry, government, academia, and non-profit organizations. The Framework’s guidelines… and practices are not country-specific…”
A new Govern Function
Version 2.0 will also include a new Govern function in addition to the existing five Core Functions – Identify, Protect, Detect, Respond and Recover. The reflects the increasing criticality of cyber risk to make an accurate assessment of and more effectively manage overall enterprise risk.
NIST defines the Govern Function as establishing and monitoring the organization’s cybersecurity risk management strategy, expectations, and policy. The cross-cutting Govern function will help organizations align the other five Core CSF Functions with the broader organizational mission and stakeholder expectations.
Guidance on Implementation
Version 2.0 will see expanded implementation guidance and more context-based examples so organizations of various sizes across different industry sectors have a larger set of specific, targeted examples to draw on for improved execution. Implementation examples will be “maintained separately in an online format on the NIST Cybersecurity Framework website to allow for more frequent updates.”
Emphasis on Supply Chain Risk
As software supply chains become more complex and extensive, security gaps in organizations’ supply chain partners’ environments have emerged as a major source of cyber risk. The cybersecurity community recognizes this as a growing threat, and NIST has responded by adding a separate Supply Chain category under the new Govern Function in the CSF.
The ten subcategories under the main Supply Chain Category outline the steps to identify, establish, implement, monitor, and improve the Supply Chain Risk Management (SCRM) process. Organizations can use the process described in the Framework to ensure that supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and that their “performance is monitored throughout the technology product and service life cycle.”
Measurement and Assessment
The responses to the original RFI released by NIST in 2022 reflected the need for enhanced guidance on measurement and assessment. The CSF does not prescribe specific standards or practices to meet cyber risk management outcomes but gives organizations the flexibility to assess their outcomes in ways that are relevant to their specific context. “An organization may choose to conduct an assessment and document the results by comparing the Current and Target Profiles they have created (Section 3).”
CSF 2.0 also includes a new “Improvement” Category under the “Identify” function. Organizations can use the process outlined here to identify improvements in their cybersecurity risk management (based on the CSF) and evaluate the efficacy of the program.
Learn more about NIST CSF 2.0
To learn more about what’s new in the NIST CSF 2.0, review the Initial Public Draft (August 2023) here.
CSF 2.0 Workshop Video Recordings can be accessed here:
NIST Cybersecurity Framework (CSF) 2.0 | Workshop #1
NIST Cybersecurity Framework (CSF) 2.0 | Workshop #2
Read NIST CSF 2.0 Concept Paper responses here – Community Response