A Deep Dive into NIST CSF Version 2.0
Since the initial launch of the Cybersecurity Framework (CSF) in 2014, the National Institute of Standards and Technology (NIST) has just recently published a draught of its Cybersecurity Framework (CSF) Version 2.0. This draught represents a significant update to the Framework since its debut in 2014. The following is a rundown of the new features, along with an explanation of how organisations may stand to benefit from implementing them to strengthen their cybersecurity posture:
Expanded Scope and Improved Guidance:
The CSF 2.0 draught includes both an expanded scope and refined and expanded guidelines on implementing the CSF, particularly regarding creating profiles 1 and 2. This expanded scope and improved guidance can assist organisations in better understanding and managing the cybersecurity risks they face.
Addition of a Sixth Function - Govern:
The Framework has been expanded from five to six functions because of a significant update that includes adding a new function called "Govern." This new function's goal is to improve governance over cybersecurity activities, making it possible for organisations to manage their cybersecurity programmes more effectively.
Focus on Small and Medium-Sized Entities:
The CSF 2.0 was first developed for "critical national infrastructure," but it has since been expanded to meet the requirements of both small businesses and institutions of higher education, as per the directives of Congress. This change is intended to make the Framework more usable by smaller and medium-sized entities, potentially without the need to overcome any legal obstacles.
领英推荐
Increased Transparency and Engagement:
An early draught of CSF 2.0 was made available to the public to encourage discussion and promote transparency in the process of updating the CSF. This opened the door for stakeholders to provide concrete suggestions for improving the Framework. This draught demonstrates a structured approach to managing cybersecurity risks by covering cybersecurity outcomes across six functions, 21 categories, and 112 subcategories.
Significant Changes Since 2014:
Since its inception in 2014, the Framework has undergone several significant iterations, the most recent of which is the draught of CSF 2.0. These changes are intended to reflect the constantly shifting nature of the cybersecurity landscape while making it simpler for organisations to implement the CSF.
Public Engagement and Future Finalization:
The CSF 2.0 final version is anticipated to be published in early 2024, and NIST has extended the deadline for public comments on the draught document to November 4, 2023. This engagement with the public is a step towards refining the Framework based on feedback from real-world situations, which will ensure that it continues to be a useful tool for the management of cybersecurity risks.
By implementing these updates, the National Institute of Standards and Technology (NIST) intends to provide a more robust and user-friendly framework. This framework will cater to a wider range of organisations and will promote better cybersecurity practises and governance. The expanded scope, the addition of the Govern function, and the focus on small and medium-sized entities are particularly noteworthy because they signify an approach to cybersecurity management that is more inclusive and comprehensive.
CISM, CIPP/E, CDPSE, LA27001 | Advisor and Mentor | I create cybersecurity and privacy toolkits focusing on compliance with ISO 27001 / 27701, NIS2, DORA, and GDPR. ??In the TOP 150 of worldwide cybersecurity influencers
1 年Thank you! You can also like my presentation “NIST CSF 2.0: What has changed?” - https://www.dhirubhai.net/posts/andreyprozorov_nist-csf-20-what-has-changed-activity-7170364881873891328-WEy1