On August 8th, The National Institute of Standards and Technology (NIST) released their latest draft of the NIST CSF 2.0 Framework. The changes NIST has put forward mark a significant step in fortifying cybersecurity practices globally. Building on the success of CSF 1.1, which has been widely acknowledged for its effectiveness in reducing cybersecurity risks since its launch in 2014, NIST aims to address evolving challenges and simplify the framework’s usability for organizations in the face of an ever-changing threat landscape.
NIST acknowledges the continued relevance of CSF 1.1 but recognizes the need for updates to accommodate emerging cybersecurity challenges. Organizations have increasingly voiced their support for maintaining a strong cybersecurity framework, and NIST’s response comes in the form of CSF 2.0. This revised version seeks to strike a balance between the framework’s original goals and objectives while addressing the contemporary and anticipated future challenges of the cybersecurity landscape.
To ensure that CSF 2.0 is robust and aligns with industry best practices, NIST has invited the cybersecurity community to provide feedback on the latest draft revision of the publication. In this draft, NIST has highlighted the following changes:
- Broadening the scope of the framework to encompass all industry or organizations, rather than focusing primarily on critical infrastructure.
- Increasing visibility as to how the CSF relates to other NIST Frameworks and cybersecurity resources.
- Increasing guidance on how organizations can implement CSF.
- Emphasize the importance of cybersecurity governance with the new Governance security function.
- Within the new Governance security function, improve coverage of supply chain risk management.
- Improving guidance on measuring cybersecurity performance and implementing cybersecurity performance management throughout the organization.
Expanding the CSF Umbrella
Chief among the changes here is the expanded scope of the framework to incorporate guidance that better suits a wide variety of organizations than the narrow focus of critical infrastructure found in CSF 1.1. While the original emphasis on securing state-side critical infrastructure was an important first step, NIST has responded to feedback by modifying the focus to reflect the already broad international use of CSF. Many growing businesses around the world have adopted CSF 1.1 as an initial step into maturing their cybersecurity posture and organizational compliance. This awareness from NIST is good to see, since the expanded scope of CSF 2.0 may further improve the framework’s adoptability.
Relating CSF to Adjacent Frameworks and NIST Publications
While the CSF already had loose mappings to other NIST Publications, but with these changes they are currently, or will be, more explicitly tying these various frameworks together. Though it isn’t included in the current CSF 2.0 draft, NIST will be releasing an online tool to compare and contrast CSF 2.0 Core controls across various frameworks. At present, NIST has expanded references to tighten the relationship between the CSF 2.0 draft and the NIST Privacy Framework, NICE Workforce Framework for Cybersecurity (SP 800-181), Secure Software Development Framework (SP 800-218), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (SP 800-161r1), Performance Measuring Guide for Information Security (SP 800-55), and more.
Increasing Guidance with Core Enhancements and Implementation Examples
One of the highlights of the draft is the updated CSF Core, which is the foundation of the framework. NIST has incorporated feedback received from discussions around the April draft to refine the Core. However, the publication does not contain Implementation Examples or Informative References of the CSF 2.0 Core, owing to the need for regular updates. NIST has released initial Implementation Examples for public comment separately and is eager to receive feedback on their utility. The agency is also interested in understanding which sources of implementation guidance should be adopted as examples and how frequently these examples should be updated.
In the latest draft, NIST have expanded the scope of the new Governance security function to cover organizational risk, risk management strategies, supply chain risk management, and more. Some of these were already present in CSF 1.1, but they have been relocated to this new function to emphasize the importance and distinction of Governance. Additionally, NIST offers new guidance on integrating the CSF 2.0 Framework with the NIST Privacy Framework and other NIST risk management strategies.
Further Incorporating Supply Chain Risk Management
While CSF 1.1 did include some guidance on implementing Supply Chain Risk Management, this new draft goes further in incorporating ideas from NIST’s Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations publication (SP 800-161r1). In the race to secure critical infrastructure, and with the prevalence of hardware and software supply chain attacks, supply chain risk management will only continue to increase in relevance.
Measuring Cybersecurity Performance
Cybersecurity performance is kind of our thing here at TDI, considering we have been championing Cybersecurity Performance Management (CPM) since 2018. While NIST has detailed much of their cybersecurity measurement processes in NIST SP 800-55, they have included additional information in CSF 2.0 to help clarify how performance measurement plays into the framework. Additionally, NIST further emphasized the importance of continuous improvement by adding a new Improvement category to the Identity security function. This new function focuses on taking the results of performance measurement and continuously iterating on existing performance processes. CnSight aligns with this approach and offers organizations an effective way to automate CPM for increased governance, visibility, and performance.
Enriching Resources through the CPRT
As the CSF 2.0 is refined and finalized, NIST is committed to maintaining updated Implementation Examples and Informative References on the NIST Cybersecurity Framework website, leveraging the NIST Cybersecurity and Privacy Reference Tool (CPRT). The CPRT will be instrumental in providing resource owners and authors with the ability to map their resources to the final CSF 2.0, thereby creating informative references. Organizations interested in this endeavor are encouraged to reach out to NIST for guidance.
NIST’s release of the draft version of Cybersecurity Framework 2.0 marks a significant stride in enhancing cybersecurity defense mechanisms. By soliciting input from the cybersecurity community and refining the CSF Core, NIST aims to equip organizations with an adaptable framework that can effectively counter emerging cyber threats. As CSF 2.0 evolves, the engagement of stakeholders will play a pivotal role in shaping a robust and resilient cybersecurity landscape for years to come.