In January, the National Institute of Standards and Technology (NIST) released a concept paper as they work to draft the Cybersecurity Framework (CSF or Framework) 2.0, an update to the current 1.1 Framework that was last updated in 2018, as well as associated resources such as websites, mappings, and related guidance. The purpose of the CSF is to provide guidance to organizations to better understand, manage, reduce, and communicate cybersecurity risks.

The following is a summary of the potential significant changes expected to be included in CSF 2.0:

Broadening Use

The updated framework will bring change to the title and text to indicate that it is intended to be used by any organization, in any industry, not just those related to critical infrastructure. The title will have the common name of “Cybersecurity Framework,” replacing the previous title of “Framework for Improving Critical Infrastructure Cybersecurity.” Mention of critical infrastructure may still be used for examples; however, categories and subcategories of the Framework that are specific to critical infrastructure will be expanded. 2.0 aims to increase international collaboration and become a good fit for any size organization, including small businesses.

Maintaining Scale and Flexibility

The community who has helped provide feedback on the Framework made it obvious that a crucial benefit of the Framework is its flexibility. As such, NIST plans to maintain the current ease-of-use, mappings, and level of detail to ensure the CSF remains flexible and scalable for organizations of varying sizes, types, and sectors. The Framework will leverage and connect to, but not replace, other NIST publications and globally recognized standards and guidelines as a common organizing structure for several approaches to cybersecurity. And while you will still be able to find the CSF in PDF and Excel formats, it will also be available through the more recently available NIST Cybersecurity and Privacy Reference Tool (CPRT), which will allow for a more interactive method.

Expanded Implementation Guidance

NIST will be looking to meet the needs of organizations that may benefit from general, high-level guidance as well as those who may need much more detailed support. As such, the CSF 2.0 will have implementation examples to help clarify the meaning of the subcategories and ideas of how to implement these controls for those organizations looking for more detailed references. Related CSF resources, such as CSF Profiles (which has also had template updates) and NIST Cybersecurity Practice Guides (SP 1800 series), could continue to cover further implementation examples to provide additional guidance for specific sectors, threats, or use cases. NIST is improving the CSF website as well in hopes to further highlight implementation resources, guidance, tools, case studies, and more.

Emphasis on Cybersecurity Governance

While cybersecurity governance is addressed in CSF 1.1 in the “Identify” Function, CSF 2.0 will expand on this topic. A new “Govern” Function will be included in the updated Framework. It will showcase cybersecurity governance as critical to managing and reducing cybersecurity risk, including determination of priorities and risk tolerances, assessment of cybersecurity risks and impacts, the establishment of cybersecurity policies and procedures, and the understanding of cybersecurity roles and responsibilities. This change should also help elevate governance to align with risk and legal requirements. These activities are critical to identifying, protecting, detecting, responding, and recovering across the organization, as well as in overseeing others who carry out cybersecurity activities for the organization, including within the supply chain of an organization. Elevating governance activities to a Function would also promote alignment of cybersecurity activities with enterprise risk management and legal requirements.

Importance of Cybersecurity Supply Chain Risk Management (C-SCRM)

Cybersecurity risks in supply chains and third parties are a top risk across organizations and industries. Managing cybersecurity within the supply chain was one of the key additions to CSF 1.1 and will continue to be expanded on in CSF 2.0. NIST notes that with the increasing globalization, outsourcing, and expansion of the use of technology services (such as cloud computing), CSF 2.0 should make clear the importance of organizations identifying, assessing, and managing both first- and third-party risks.

Expand Knowledge of Cybersecurity Measurement and Assessment

The measurement and assessment of cybersecurity risk management programs and strategies remains a crucial area in the use of the CSF. As such, the CSF 2.0 will aim to provide additional guidance, examples, and resources for organizations to better use the Implementation Tiers and how measurement and assessment support this use with a common vocabulary. This will lead to better understanding and management of risk and associated continuous monitoring and improving.

It should be noted that NIST is updating the “Performance Measurement Guide for Information Security” (SP 800-55r2). This guidance applies to the measurement of multiple cybersecurity program activities but given the interest in measurement associated with CSF 2.0, it may be especially useful for those who leverage the CSF.

The CSF is being updated to align with the changing cybersecurity landscape, in an open manner with input from government, academia, and industry, including through workshops, public review and comment, and other forms of engagement. In the coming months, NIST plans to publish a copy of the draft Cybersecurity Framework 2.0 for a 90-day public review period. NIST’s proposed timeline indicates a draft may be ready by Summer 2023 and a final draft by Winter 2024.

Additional input and comments from the community will be accepted until March 17, 2023, a two-week extension from the original comment deadline. Feedback can be shared by emailing cyberframework@nist.gov.

Reference

https://www.nist.gov/system/files/documents/2023/01/19/CSF_2.0_Concept_Paper_01-18-23.pdf