To the five key pillars of a successful cybersecurity program, NIST has now added a sixth, the “governance” function, which emphasizes that cybersecurity is a key source of enterprise risk and for senior management.
Credit:
N. Hanacek/NIST
The world’s leading cybersecurity guide is getting its first complete makeover since it was launched nearly a decade ago.
After considering more than a year’s worth of community feedback, the National Institute of Standards and Technology (NIST) has released a draft of the Cyber Security Framework (CSF) 2.0, a new version of the tool first released in 2014 to help organizations understand. , reduce and communicate cybersecurity risk. The draft update, which NIST released for public comment, reflects changes in the cybersecurity landscape and makes it easier for all organizations to apply the CSF.
“With this update, we’re trying to reflect current use of the cybersecurity framework and anticipate future use as well,” said NIST’s Sherilyn Pascoe, lead developer of the framework. “CSI was developed for critical infrastructure such as the banking and energy industries, but it has been useful everywhere from schools and small businesses to local and foreign governments. We want to make sure it’s a tool that’s useful to all areas, not just those designated as critical.”
NIST is accepting public comments on the draft framework until November 4, 2023. NIST does not plan to publish another draft. A fall workshop will be announced soon, providing another opportunity for the public to provide feedback and comments on the project. The developers plan to release the final version of CSF 2.0 in early 2024.
The CSF provides high-level guidance, including a common language and systematic methodology, to manage cybersecurity risks across industries and to facilitate communication between technical and non-technical personnel. It includes activities that can be incorporated into cybersecurity programs and tailored to meet the specific needs of an organization. In the decade since it was first published, the CSF has been downloaded more than two million times by users in over 185 countries and has been translated into at least nine languages.
While responses to NIST’s February 2022 request for information on the CSF indicated that the framework remains an effective tool for reducing cybersecurity risk, many respondents also suggested that the update could help users adapt to technological innovations as well as rapidly evolving threats. to the landscape.
“Many commenters said we should preserve and build on the key features of the CSF, including its flexible and voluntary nature,” Pascoe said. “At the same time, many of them asked for more guidance on implementing the CSI and making sure it can address emerging cybersecurity issues, such as supply chain risks and the pervasive threat of ransomware. Because these issues affect so many organizations, including small businesses, we realized we had to raise our game.”
The CSF 2.0 project reflects a number of key changes, including:
- The scope has expanded, clearly, from protecting critical infrastructure such as hospitals and power plants to ensuring cyber security for all organizations, regardless of type or size. This difference is reflected in the official title of the CSF, which has been changed to the Cybersecurity Framework, its colloquial name, the more restrictive Critical Infrastructure Cybersecurity Improvement Framework.
- So far, CSF has described the key pillars of a successful and complete cybersecurity program using five key functions: identify, protect, detect, respond, and recover. To these, NIST has now added a sixth, the governance function, which covers how an organization can make and implement its internal decisions to support its cybersecurity strategy. It highlights that cyber security is a key source of enterprise risk, ranking alongside legal, financial and other risks as top management considerations.
- The project provides improved and expanded guidance on implementing CSF, especially for creating profiles that adapt CSF for specific situations. The cybersecurity community has asked for help identifying specific economic sectors and use cases where profiles can help. Importantly, the project now includes implementation examples for each functional subcategory to help organizations, especially smaller companies, use the framework effectively.
The primary goal of CSF 2.0 is to explain how organizations can use other technology frameworks, standards, and guidelines from NIST and elsewhere to implement CSF. Reinforcing this latest effort is the launch of the CSF 2.0 Reference Tool. This online resource allows users to browse, search, and export CSF Core data in human-consumable and machine-readable formats. In the future, this tool will provide “Reference Links” to show relationships between the CSF and other resources to facilitate the use of the framework in conjunction with other cybersecurity risk management guidelines.
Pascoe said the development team is encouraging anyone with suggestions for an updated CSF to respond with comments by the Nov. 4 deadline.
“This is an opportunity for users to weigh in on the CSF 2.0 project,” he said. “Now is the time to get involved if you haven’t already.”
Editor’s Note (Aug. 23, 2023): This news has been updated to reflect the fact that the CSF 2.0 Reference Tool, originally listed as an upcoming feature, is now available.