Significant Updates to the NIST Cybersecurity Framework
ISC2 Governance, Risk and Compliance
Achieve objectives, address uncertainty, act with integrity.
The National Institute of Standards and Technology (NIST) was founded at the turn of the 20th century and is now an agency under the U.S. Department of Commerce. As one of the nation's oldest physical science laboratories, NIST is now guided by its mission:
?
"to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life."
?
NIST aims to be the world leader in developing critical measurement solutions, stimulating innovation, and improving quality of life. A key initiative for NIST is its Cybersecurity Framework (CSF), designed to support businesses in reducing risk and developing robust security strategies.
What is the NIST Cybersecurity Framework?
First debuted in 2014 and updated in 2018, the NIST CSF defined guidelines and best practices to manage cybersecurity risk. The framework is a living document designed to adapt to the ever-changing risk landscape.
?
The last five years have seen changes in work dynamics, cyber threats, compliance and governance requirements, as well as methods to protect data, networks, and critical infrastructure. As Cherilyn Pascoe, senior technology policy advisor at NIST and Cybersecurity Framework Program Lead, states:
?
"There have been changes in cybersecurity standards, including those published by NIST but also elsewhere; there's been significant changes in the risk landscape and in technologies. And so even though the vast majority of our respondents said they still like the framework, there were a number of changes that folks are looking for, and so we thought it was time for us to do a refresh."
?
Following this acknowledgment, NISF wrote the CSF 2.0 Concept Paper - a pre-draft document outlining potential updates to the existing CSF 1.1. The organization opened this paper to outside review, gathering feedback and input to help develop a draft of the revised framework to deliver in the Summer of 2023, with the final iteration due by the end of 2024.
Key Updates in CSF 2.0
There are a few notable elements in the CSF 2.0 Concept Paper. They affect organizations across industries that may use the framework as a guideline for their security strategy and implementation.
Risk Management - Supply Chain, Third Party, and More
Supply chain risk was the hot-button issue of 2022 and for a good reason. Disruptions to the supply chain caused businesses to struggle or even fail, while consumers went without goods - many of which they truly needed. These issues highlighted a real risk to society: the supply chain is not just a business planning matter. Every person can be impacted by fulfillment risk.
?
Third-party risk is also rising as organizations depend on partners, suppliers, contractors, and consultants. Effectively, any person or organization with access to another business' networks or data can potentially pose a risk. Cloud computing and remote and hybrid work arrangements add layers to the risk landscape.
领英推荐
?
CSF 2.0 takes risk management into account, considering all of these and more factors that impact organizations, their network, and end users. The Risk Management Framework will be revised to address modern risk mitigation, with steps to prepare, categorize, implement, assess, and monitor organizational threats.
Cybersecurity Assessment and Measurement
Proposed updates to CSF 2.0 also include guidance for assessing and measuring security goals. In the years since its inception, organizations have used the NIST CSF to design and implement security strategies. A common question, though, is how to assess levels of security maturity and gauge the efficacy of risk improvement measures.
?
CSF 2.0 will ensure all organizations benefit from a common taxonomy and lexicon by implementing the framework, enabling them to communicate the outcome of their efforts regardless of the risk management approach. CSF 2.0 will not prescribe a single approach to assessment and instead will include real-world examples of how to leverage CSF combined with risk management strategies to communicate answers and progress.
Broader Scope
The update to NIST's CSF will include a broader scope. When CSF 1.0 was released in 2014, the framework was designed with the needs of critical infrastructure operators in mind. Since then, organizations across all industries have used the CSF as a guideline, prompting the update of its title name from Framework for Improving Critical Infrastructure Cybersecurity to simply Cybersecurity Framework.
?
As cited by NIST in the CSF 2.0 concept paper:
?
"The scope of CSF 2.0 will cover all organizations across government, industry, and academia, including but not limited to critical infrastructure."
?
Congress directed NIST to design CSF 2.0 to consider small business and higher education concerns. The Framework will be outlayed for usability by every organization, regardless of size, sector, or type. It will also enable greater international collaboration and engagement, meeting the needs of a globalized world.
?
Learn more about governance, risk and compliance global frameworks in our regional guides:
?