The National Institute of Standards and Technology (NIST) has drafted a significant update to its Cybersecurity Framework (CSF), a tool that has been foundational in guiding organizations on cybersecurity risk since its inception in 2014. This revision addresses the evolving cybersecurity landscape and makes the framework more accessible to a broader range of organizations.
The big picture
The CSF, which has been downloaded over two million times and translated into at least nine languages, is undergoing its first complete overhaul in nearly a decade. This comes after NIST gathered community feedback for over a year, indicating the need for an update to keep pace with technological advancements and the ever-changing threat environment.
What they're saying
Cherilyn Pascoe, the framework's lead developer at NIST, said, "With this update, we are trying to reflect current usage of the Cybersecurity Framework, and to anticipate future usage as well. The CSF was developed for critical infrastructure like the banking and energy industries, but it has proved useful everywhere from schools and small businesses to local and foreign governments."
Many commenters from the cybersecurity community have emphasized the CSF's flexible and voluntary nature as its strength. They've also expressed the need for more guidance on implementing the CSF and addressing emerging cybersecurity issues, such as supply chain risks and the threat of ransomware.
Details from the source
- The updated CSF 2.0 draft reflects a shift in focus from solely protecting critical infrastructure to providing cybersecurity guidance for all organizations, irrespective of their size or type.
- A new "govern" function has been introduced, emphasizing that cybersecurity is a paramount source of enterprise risk and should be a top consideration for senior leadership.
- The draft offers enhanced guidance on implementing the CSF, especially for creating profiles tailored to specific sectors and use cases. It also provides implementation examples for each function's subcategories, catering especially to smaller firms.
- An upcoming CSF 2.0 reference tool will allow users to browse, search, and export CSF Core data in both human and machine-readable formats. This tool will also highlight the relationships between the CSF and other resources, facilitating the combined use of multiple guidelines to manage cybersecurity risk.
Related: HIPAA Compliant Email: The Definitive Guide
Between the lines
The CSF's evolution underscores the importance of adaptability in cybersecurity. As threats become more sophisticated and pervasive, tools like the CSF must evolve to provide organizations with the guidance they need to protect their assets and data. This update signifies NIST's commitment to ensuring that the CSF remains a relevant and effective tool in the face of modern challenges.
What's next
NIST is welcoming public feedback on the draft framework until November 4, 2023. Following this, a workshop will be held in the fall to gather further insights. The final version of CSF 2.0 is slated for release in early 2024.
By the numbers
- Over 2 million: The number of times the CSF has been downloaded since its first publication.
- 185 countries: The global reach of the CSF, with users spanning these nations.
- 9 languages: The CSF has been translated into at least this many languages, emphasizing its global impact and relevance.
Dean Levitt
