NIST Cybersecurity Framework 2.0: An Updated Approach to Cybersecurity Risk Management
The National Institute of Standards and Technology (NIST) is set to release an updated version of its widely used Cybersecurity Framework (CSF 1.1), marking the first complete makeover of the guidance since its initial release nearly a decade ago. With the draft version of CSF 2.0 now available for public comment, organizations across all sectors can look forward to an improved tool that addresses the evolving cybersecurity landscape and provides practical guidance for understanding, reducing, and communicating about cybersecurity risk. This article will identify major changes; you can read the NIST concept paper for all of the details; and check out this video for a pretty good comparison between CSF 1.1 and 2.0.
So what's different about 2.0?
The (new) Sixth Function of the Cybersecurity Framework
The CSF has traditionally described the main pillars of a successful cybersecurity program using five functions: identify, protect, detect, respond, and recover. In CSF 2.0, NIST introduces a sixth function called "govern" to address the internal decision-making processes that support an organization's cybersecurity strategy. The addition of the govern function highlights the fact that cybersecurity is a significant source of enterprise risk and should be considered alongside other risks, such as legal and financial, by senior leadership. This is an excellent addition to the framework, as governance had been tucked away here and there in CSF 1.1, and not really given it's due.
Enhanced Guidance for Implementation and Customization
To guide organizations in applying the CSF effectively, CSF 2.0 delivers enhanced guidance including the creation of implementation examples. These examples are designed to illustrate what is meant by the CSF categories and subcategories, offering tangible insights that are especially beneficial for smaller firms. In addition to implementation examples, CSF 2.0 is set to provide a new optional basic template for creating CSF profiles. Understanding that profiles are an essential tool for aligning the CSF’s Functions, Categories, and Subcategories with an organization's specific mission requirements, risk tolerance, and resources, NIST has recognized the need for additional guidance. While there are existing examples of sector- and threat-specific profiles on the NIST CSF website, the introduction of a standardized template in CSF 2.0 aims to simplify the development process and encourage the creation of more tailored, organization-specific profiles.
Leveraging Technology Frameworks and Standards
The NIST CSF team has always done a great job of enabling contrasting and comparison of the CSF to other frameworks and this will continue with CSF 2.0. Building on the concept of informative references from CSF 1.1, NIST is moving toward the use of online, updatable references in CSF 2.0. Recognizing that some previous references became outdated, the updated approach will feature the Cybersecurity Practice Guides (SP 1800 series), the Online Informative References Program (OLIR) Catalog, and further mappings. This transition will offer a more robust and agile set of resources, including those related to Internet of Things (IoT), operational technology (OT) cybersecurity, zero trust architecture (ZTA), and more.
In collaboration with the community, NIST will encourage the production of additional mappings to dozens of cybersecurity standards, guidelines, and other frameworks. Through this initiative, the CSF can be mapped to more specific resources, allowing for greater detail at the Function, Category, and Subcategory levels. Coupled with the introduction of practical implementation examples, this dynamic online format will simplify the integration process for users and allow for a more nuanced understanding of the relationship between the CSF and other resources.
Furthermore, NIST plans to release a CSF 2.0 reference tool that will permit users to browse, search, and export the CSF Core data in both human-readable and machine-readable formats. By connecting the CSF with a wide array of mapped resources, NIST aims to make it easier for organizations to assimilate the framework with their specific cybersecurity risk management guidelines. A call to action has been issued by NIST for the submission of mappings, encouraging authors and owners of relevant cybersecurity resources to collaborate in developing and releasing mappings to both CSF 1.1 and CSF 2.0. This collaborative effort signifies NIST's commitment to fostering a comprehensive, adaptable, and user-centric framework.
Expanding the Scope: Cybersecurity for All Organizations
One of the major philosophical changes in CSF 2.0 is the expansion of its scope. While the 1.1 focused on protecting critical infrastructure, such as hospitals and power plants, the updated framework emphasizes that cybersecurity is essential for all organizations, regardless of type or size. This change is reflected in the new official title, "The Cybersecurity Framework," which replaces the more limiting "Framework for Improving Critical Infrastructure Cybersecurity." By broadening its applicability, NIST aims to ensure that the CSF becomes a useful tool for organizations in various sectors, from schools and small businesses to local and foreign governments. Most would agree that this change in philosophy simply reflects the reality of how widespread the CSF 1.1 usage and applicability is; however, there has been some pushback in this expansion of scope.
Public Engagement and Feedback
NIST values public input and feedback in the development of CSF 2.0. The draft framework is currently open for public comment until November 4, 2023. Additionally, NIST has organized workshops and working sessions to gather further feedback from stakeholders. These events provide opportunities for participants to discuss potential updates and contribute to the development of the final version of CSF 2.0. Organizations and individuals are encouraged to share their recommendations and insights to ensure that the updated framework meets the needs of a diverse range of users.
Looking Forward
The release of the draft version of NIST's Cybersecurity Framework 2.0 marks a significant milestone in the evolution of cybersecurity risk management. With its expanded scope, inclusion of the govern function, and improved guidance for implementation and customization, CSF 2.0 is poised to become an even more valuable tool for organizations worldwide.
Please note that all dates and information mentioned in this article are based on the reference article and subject to change. For the most up-to-date information, refer to the official NIST publications and announcements.