NIST Releases Draft Version of Cybersecurity Framework 2.0 for Public Comment
The National Institute of Standards and Technology (NIST) has published a draft version of an updated version of its popular Cybersecurity Framework (CSF) – version 2.0. This is the first major update to the NIST CSF since its release in 2014.
The NIST CSF helps organizations to understand and reduce cybersecurity risks, improve their security posture, and monitor progress, and has been downloaded more than 2 million times. The NIST CSF was initially released to help critical infrastructure entities improve their security posture and reduce and manage risks; however, the framework has been adopted by a much broader range of entities such as small- and medium-sized organizations that lack internal resources for cybersecurity. The framework is based on five key pillars: identity, protect, detect, respond, and recover, and provides high-level guidance for managing cybersecurity risk. The framework uses a common language and systematic methodology for managing risk and aiding communication between technical and non-technical staff and can easily be tailored to suit the needs of individual organizations.
In February 2022, NIST issued a request for information (RFI) on how to update the framework, in particular, to improve supply chain risk management. More than 130 responses were received in response to the RFI, and the feedback received has been considered when updating the framework. The framework has also been updated to reflect changes in the cybersecurity landscape since its release almost a decade ago and has been revised to make the framework easier to put into practice for organizations of all types and sizes.
The update expands the scope of the framework from protecting critical infrastructure such as hospitals to organizations of all types and sizes. NIST has added a sixth pillar – govern – to help organizations make and execute their own internal decisions to support their cybersecurity strategy, and the update emphasized that cybersecurity is a major source of enterprise risk alongside legal and financial risks. The updated version also includes guidance on implementing the CSF, such as creating profiles tailored to specific situations, and implementation examples have been included for each of the subcategories of each function, specifically to help smaller organizations use the framework effectively.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“With this update, we are trying to reflect current usage of the Cybersecurity Framework, and to anticipate future usage as well,” said NIST’s Cherilyn Pascoe, the framework’s lead developer. “The CSF was developed for critical infrastructure like the banking and energy industries, but it has proved useful everywhere from schools and small businesses to local and foreign governments. We want to make sure that it is a tool that’s useful to all sectors, not just those designated as critical.”
The draft version of the NIST CSF 2.0 has been released for public comment and comments will be accepted until November 4, 2023. NIST says it has a workshop planned for the fall – the details of which have yet to be announced – which will provide a further opportunity for the public to give feedback on the updated version. No further drafts will be released by NIST, and the final version is expected to be released in early 2024.
