NIST is preparing a major update to a widely used cybersecurity framework

NIST revised the framework to benefit all industries, not just the critical infrastructure.

Aug 10, 2023 - 15:21
 0  39
NIST is preparing a major update to a widely used cybersecurity framework

The world's leading guide to cyber security is getting its first complete update since it was published nearly a decade ago.

After considering more than a year of community feedback, the National Institute of Standards and Technology (NIST) released Cybersecurity Framework (CSF) Draft 2.0, a new version of a tool first released in 2014 to help organizations understand. , mitigates and communicates cybersecurity risks. The draft update, which NIST released for public comment, reflects changes in the cybersecurity landscape and makes CSF easier to implement—for all organizations.

"With this update, we aim to reflect current use of the cybersecurity framework as well as anticipate future use," said Cherilyn Pascoe, lead developer of the framework at NIST. “CSF was developed for critical infrastructure such as banking and the energy industry, but has proven useful everywhere from schools and small businesses to local and foreign authorities. We want to make sure this is a tool useful for all sectors, not just those identified as critical.

NIST is accepting public comments on the draft until November 4, 2023. NIST does not plan to publish a new draft. A workshop planned for the fall will be announced soon and will be another opportunity for the public to provide feedback and comments on the draft. The developers plan to release the final version of CSF 2.0 in early 2024. The CSF provides high-level guidance, including a common language and systematic approach to managing cyber security risks across sectors and promoting communication between technical and non-technical staff. It includes features that can be incorporated into cybersecurity programs and tailored to meet an organization's specific needs. In the ten years since its initial release, CSF has been downloaded more than two million times by users in more than 185 countries and has been translated into at least nine languages. While responses to NIST's February 2022 CSF data request indicated that the framework remains an effective tool for reducing cybersecurity risk, many respondents also suggested that the update could help users adapt to technological innovation and the rapidly evolving threat landscape.

"Many commentators have said that we should preserve and use the core features of the CSF, including its flexibility and voluntary nature," Pascoe said. "At the same time, many of them asked for more guidance on how to implement the CSF and ensure that it can address emerging cybersecurity issues, such as supply chain risks and the pervasive threat of ransomware. Because these issues affect many organizations, including small businesses. , we realized that we need to raise our game.

The CSF 2.0 draft reflects a number of important changes, including:

The scope of the framework has expanded - notably - from protecting critical infrastructure such as hospitals and power plants to providing cyber security for all organizations regardless of type or size. That difference is reflected in the official name of the CSF, which has become the "Cybersecurity Framework", colloquialism of the more restrictive framework "Cybersecurity Improvement Framework for Critical Infrastructure".

To date, the CSF has outlined the main pillars of a successful and comprehensive cyber security program using five key functions: Detect, Protect, Identify, Respond and Recover. To these, NIST has now added a sixth, the management function, which covers how an organization can make and implement its internal decisions to support its cyber security strategy. It highlights that cyber security is a major source of business risk in addition to legal, financial and other senior management risks. The draft includes improved and expanded guidance on the implementation of the Community Support Framework, in particular the creation of profiles adapted to the specific circumstances of the CSF. The cybersecurity community has asked for help in its use in certain economic sectors and use cases where profiles can help. Importantly, the blueprint now includes implementation examples for the subcategories of each function to help organizations, especially smaller businesses, use the framework effectively. The primary goal of CSF 2.0 is to explain how organizations can use other NIST and other technology frameworks, standards, and guidelines to implement CSF. This latest effort is supported by the release of the CSF Reference Tool 2.0, which NIST plans to release in a few weeks. This online resource allows users to browse, search and export core CSF data in human-readable and machine-readable formats. In the future, this tool will provide "information references" that show the relationships between the CSF and other resources, facilitating the use of the framework in conjunction with other cybersecurity risk management guidelines. Pascoe said the development team encourages anyone with suggestions for an updated CSF to respond with comments by Nov. 4.

"This gives users a chance to weigh in on the design of CSF 2.0," he said. "Now is the time to get involved if you haven't already."

What's Your Reaction?